On Thu, Jun 7, 2018 at 11:09 PM, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > On Thu, 07 Jun 2018 22:46:09 +1000, Chris Angelico wrote: > >>> I wonder how many publicly facing web servers can be induced to either >>> crash, or serve the wrong content, this way? >>> >>> >> Define "serve the wrong content". You could get the exact same content >> by asking for "te" instead of "te%00st.html"; > > Perhaps so, but maybe you can bypass access controls to te and get access > to it even though it is supposed to be private. > > This is a real vulnerability, called null-byte injection. > > One component of the system sees a piece of input, truncates it at the > NULL, and validates the truncated input; then another component acts on > the untruncated (and unvalidated) input. > > https://resources.infosecinstitute.com/null-byte-injection-php/ > > https://capec.mitre.org/data/definitions/52.html > > Null-byte injection attacks have lead to remote attackers executing > arbitrary code. That's unlikely in this scenario, but given that most web > servers are written in C, not Python, it is conceivable that they could > do anything under a null-byte injection attack.
Fair point. So you should just truncate early and have done with it. Easy. > Does the Python web server suffer from that vulnerability? I would be > surprised if it were. But it can be induced to crash (an exception, not a > seg fault) which is certainly a vulnerability. "Certainly"? I'm dubious on that. This isn't C, where a segfault usually comes after executing duff memory, and therefore it's plausible to transform a segfault into a remote code execution exploit. This is Python, where we have EXCEPTION handling. Tell me, is this a vulnerability? @app.route("/foo") def foo(): return "Kaboom", 500 What about this? @app.route("/bar") def bar(): 1/0 return "Won't get here" Put those into a Flask app and see what they do. One of them will explicitly return a 500. The other will crash... and will return a 500. Is either of those a security problem? Now let's suppose a more realistic version of the latter: @app.route("/paginate/<int:size>"): def paginate(size): total_pages = total_data/size ... Yes, it's a bug. If someone tries a page size of zero, it'll divide by zero and bomb. Great. But how is it a vulnerability? It is a properly-handled exception. It's slightly different with SimpleHTTPServer, as it fails to properly send back the 500. That would be a bug IMO. Even then, though, all you can do is clog the server with unfinished requests - and you can do that much more easily by just connecting and being really slow to send data. (And I doubt that people are using SimpleHTTPServer in security-sensitive contexts anyway.) ChrisA -- https://mail.python.org/mailman/listinfo/python-list