[Python-modules-team] Bug#733108: marked as done (python3-requests: redirect can expose netrc password)

Tue, 16 Sep 2014 14:55:44 -0700 

Your message dated Tue, 16 Sep 2014 23:50:56 +0200
with message-id <[email protected]>
and subject line Re: Bug#733108: python3-requests: redirect can expose netrc 
password
has caused the Debian Bug report #733108,
regarding python3-requests: redirect can expose netrc password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
733108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python3-requests
Version: 2.0.0-1
Tags: security
If site A redirects to site B, and user had a password for site A in their ~/.netrc, then requests would send authorization information both to site A and to site B.
I've attached a netrc file and a pair of test scripts that should help reproducing the bug. 

--
Jakub Wilk

#!/usr/bin/python3

import http.server
import io

class RequestHandler(http.server.BaseHTTPRequestHandler):

    def do_GET(self):
        if self.path.startswith('/redirect/'):
            self.send_response(303)
            self.send_header('Location', self.path[10:])
            self.end_headers()
        else:
            self.send_response(200)
            self.end_headers()
            s = 'host: {}\n'.format(self.headers.get('Host'))
            self.wfile.write(s.encode())
            s = 'auth: {}\n'.format(self.headers.get('Authorization'))
            self.wfile.write(s.encode())

if __name__ == '__main__':
    http.server.test(RequestHandler)

# vim:ts=4 sw=4 et

#!/usr/bin/python3

import requests

response = requests.get("http://localhost:8000/redirect/http://127.0.0.42:8000/";)
print(response.text)

machine localhost
login eggs password ham

--- End Message ---
--- Begin Message --- 
Version: 2.3.0-1

It looks like the bug was fixed upstream in 2.3.0:
- No longer expose Authorization or Proxy-Authorization headers on redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively. 

--
Jakub Wilk

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to