[Python-Dev] Need help to fix HTTP Header Injection vulnerability

Victor Stinner vstinner at redhat.com
Wed Apr 10 06:51:50 EDT 2019


Hi,

I dig into Python code history and the bug tracker. I would like to
say that this issue is a work-in-progress since 2004. Different fixes
have been pushed, but there are *A LOT* of open issues:
https://bugs.python.org/issue30458#msg339846

I would suggest to discuss on https://bugs.python.org/issue30458
rather than here, just to avoid to duplicate discussions ;-)

Note: the whole class of issue (HTTP Header Injection) got at least 3
CVE: CVE-2016-5699, CVE-2019-9740, CVE-2019-9947. I changed bpo-30458
title to "[security][CVE-2019-9740][CVE-2019-9947] HTTP Header
Injection (follow-up of CVE-2016-5699)".

Victor

Le mer. 10 avr. 2019 à 12:20, Wes Turner <wes.turner at gmail.com> a écrit :
>
> 1. Is there a library of URL / Header injection tests e.g. for fuzzing that we could generate additional test cases with or from?
>
> 2. Are requests.get() and requests.post() also vulnerable?
>
> 3. Despite the much-heralded UNIX pipe protocols' utility, filenames containing newlines (the de-facto line record delimiter) are possible: "file"$'\n'"name"
>
> Should filenames containing newlines and control characters require a kwarg to be non-None in order to be passed through unescaped to the HTTP request?
>
> On Wednesday, April 10, 2019, Karthikeyan <tir.karthi at gmail.com> wrote:
>>
>> Thanks Gregory. I think it's a good tradeoff to ensure this validation only for URLs of http scheme.
>>
>> I also agree handling newline is little problematic over the years and the discussion over the level at which validation should occur also prolongs some of the patches. https://bugs.python.org/issue35906 is another similar case where splitlines is used but it's better to raise an error and the proposed fix could be used there too. Victor seemed to wrote a similar PR like linked one for other urllib functions only to fix similar attack in ftplib to reject newlines that was eventually fixed only in ftplib
>>
>> * https://bugs.python.org/issue30713
>> * https://bugs.python.org/issue29606
>>
>> Search also brings multiple issues with one duplicate over another that makes these attacks scattered over the tracker and some edge case missing. Slightly off topic, the last time I reported a cookie related issue where the policy can be overriden by third party library I was asked to fix it in stdlib itself since adding fixes to libraries causes maintenance burden to downstream libraries to keep up upstream. With urllib being a heavily used module across ecosystem it's good to have a fix landing in stdlib that secures downstream libraries encouraging users to upgrade Python too.
>>
>> Regards,
>> Karthikeyan S
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/vstinner%40redhat.com



-- 
Night gathers, and now my watch begins. It shall not end until my death.


More information about the Python-Dev mailing list