-
-
Notifications
You must be signed in to change notification settings - Fork 30.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpo-43223: [SECURITY] Patched Open Redirection In SimpleHTTPServer Module #24848
Conversation
Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst
Outdated
Show resolved
Hide resolved
e2137b6
to
403490c
Compare
f61138a
to
0fe6eed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please try to write an unit test?
This PR is stale because it has been open for 30 days with no activity. |
Sorry I was busy with my other projects. |
0fe6eed
to
3717f3f
Compare
Since I'm new to writing test cases, please help me in correcting the code if something went wrong. |
Misc/NEWS.d/next/Security/2021-03-13-21-25-29.bpo-43223.ieBVWq.rst
Outdated
Show resolved
Hide resolved
Fix an open redirection vulnerability in the HTTP server when a URL contains ``//``. Added test case for bpo-43223 patch
3717f3f
to
42eb552
Compare
@vstinner please have a look at the unit test. |
|
||
def test_http_parse_request(self): | ||
self.assertEqual(re.sub(r'^/+', '/', '//test.com'), '/test.com', '//test.com should be converted to a proper relative path') | ||
self.assertEqual(re.sub(r'^/+', '/', '///test.com'), '/test.com', '///test.com should be converted to a proper relative path') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't test anything useful. It only checks that some regular expression matches two strings. Since your code change is in http.server
, your test should execute the http.server
path that you changed.
A good test should fail without your code change to http.server
, and pass with your change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I've been away due to my workload. But now as I've got some spare time I can do it better. As I've already said earlier that I'm new to writing these test cases and after checking out your comment I'm still confused about your requirements
Can you please elaborate these two statements:
Since your code change is in http.server, your test should execute the http.server path that you changed.
and this one:
A good test should fail without your code change to http.server, and pass with your change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hamzaavvan, to put it in the simplest terms:
- on a clean checkout of the
main
branch, write a test that fails because it triggers the problem described in BPO-43223; this will prove we have a problem; - then include your fix to prove that the fix solved the problem.
The test will have to actually run the HTTP server to be useful.
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
@hamzaavvan ping :) |
I've lost access to my account 😥 replying from email..
…On Fri, Apr 8, 2022, 6:26 PM Jakub Hadvig ***@***.***> wrote:
@hamzaavvan <https://github.com/hamzaavvan> ping :)
—
Reply to this email directly, view it on GitHub
<#24848 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACNY3RNMO7QIH6RKTIMDD53VEAXYXANCNFSM4ZEGXF4Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This PR has been replaced by #93879 |
Due to no protection against multiple (/) at the beginning of a url an attacker could achieve an open redirection by crafting a malformed URI followed by an existing directory.
Payload:
http://127.0.0.1:8000//attacker.com/..%2f..%2f../anyexistingdirectory
The main reason behind open redirection is that there's no (/) at the end of
anyexistingdirectory
because the server is checking for the path supplied is a valid directory atsend_head()
method from Lib/http/server.py. Right after that, it's checking for the path ending with a (/) or not. So, if there's no (/) at the end of the path then the server will issue a Location header to redirect the web client to that specific directory.While issuing the redirection, this part
//attacker.com/..%2f..%2f../anyexistingdirectory
will be sent to the Location header's value due to which any web client or browser will consider it as a new url because of multiple (/) at the beginning of the path.So to mitigate this issue I decided to use regex to replace all the occurrences of (/) from the beginning of the path.
This regex will replace multiple entries (if present) of (/) or (\) from the beginning of the path. So that the path would be:
And according to these test cases there was no redirection issued from the server after implementing the fix.
https://bugs.python.org/issue43223