Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 3052 by yuzi...@gmail.com: security vulnerability: python injection
http://code.google.com/p/reviewboard/issues/detail?id=3052

*** For customer support, please post to reviewbo...@googlegroups.com
*** If you have a patch, please submit it to
http://reviews.reviewboard.org/
***
*** Do not post confidential information in this bug report!

What version are you running?
1.7.11


What steps will reproduce the problem?
import rbtools.api.client
r = rbtools.api.client.RBClient('http://my-reviewboard', username='my_username', password='my_password')
r.get_root().get_user(username='quit()')


What is the expected output?

{u'stat': u'fail', u'err': {u'msg': u'Object does not exist', u'code': 100}}
'{"stat": "fail", "err": {"msg": "Object does not exist", "code": 100}}'
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
File "/Library/Python/2.7/site-packages/rbtools/api/resource.py", line 441, in <lambda>
    self._get_template_request(url, **kwargs)))
File "/Library/Python/2.7/site-packages/rbtools/api/decorators.py", line 24, in request_method
    *args, **kwargs)
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 54, in execute_request_method
    return self._execute_request(request)
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 63, in _execute_request
    rsp = self.server.make_request(request)
File "/Library/Python/2.7/site-packages/rbtools/api/request.py", line 414, in make_request
    self.process_error(e.code, e.read())
File "/Library/Python/2.7/site-packages/rbtools/api/request.py", line 387, in process_error
    rsp['err']['msg'])
rbtools.api.errors.APIError: Object does not exist (HTTP 404, API Error 100)


What do you see instead?

'\n<!DOCTYPE html>\n<html lang="en">\n<head>\n <meta http-equiv="content-type" content="text/html; charset=utf-8">\n <title>Page not found at /api/users/quit()/</title>\n <meta name="robots" content="NONE,NOARCHIVE">\n <style type="text/css">\n html * { padding:0; margin:0; }\n body * { padding:10px 20px; }\n body * * { padding:0; }\n body { font:small sans-serif; background:#eee; }\n body>div { border-bottom:1px solid #ddd; }\n h1 { font-weight:normal; margin-bottom:.4em; }\n h1 span { font-size:60%; color:#666; font-weight:normal; }\n table { border:none; border-collapse: collapse; width:100%; }\n td, th { vertical-align:top; padding:2px 3px; }\n th { width:12em; text-align:right; color:#666; padding-right:.5em; }\n #info { background:#f6f6f6; }\n #info ol { margin: 0.5em 4em; }\n #info ol li { font-family: monospace; }\n #summary { background: #ffc; }\n #explanation { background:#eee; border-bottom: 0px none; }\n </style>\n</head>\n<body>\n <div id="summary">\n <h1>Page not found <span>(404)</span></h1>\n <table class="meta">\n <tr>\n <th>Request Method:</th>\n <td>GET</td>\n </tr>\n <tr>\n <th>Request URL:</th>\n <td>http://purpleslam-reviewboard.apple.com/api/users/quit()/</td>\n </tr>\n </table>\n </div>\n <div id="info">\n \n <p>\n Using the URLconf defined in <code>djblets.util.rooturl</code>,\n Django tried these URL patterns, in this order:\n </p>\n <ol>\n \n <li>\n \n ^\n \n \n ^admin/extensions/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^admin/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^static\\/(?P&lt;path&gt;.*)$\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^media\\/(?P&lt;path&gt;.*)$\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^js-tests/$\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^account/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^s/(?P&lt;local_site_name&gt;[A-Za-z0-9\\-_.]+)/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^$\n [name=\'root\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^$\n [name=\'root-resource\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^default-reviewers/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^extensions/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^hosting-service-accounts/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^repositories/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^groups/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^review-requests/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^search/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^info/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^session/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^users/\n \n \n ^$\n [name=\'users-resource\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^users/\n \n \n ^(?P&lt;username&gt;[A-Za-z0-9@\\._-]+)/$\n [name=\'user-resource\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^users/\n \n \n ^(?P&lt;username&gt;[A-Za-z0-9@\\._-]+)/watched/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^api/\n \n \n ^$\n [name=\'root-resource\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^r/\n \n \n </li>\n \n <li>\n \n ^\n \n \n ^dashboard/$\n [name=\'dashboard\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^support/$\n [name=\'support\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^users/$\n [name=\'all-users\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^users/(?P&lt;username&gt;[A-Za-z0-9@_\\-\\.]+)/$\n [name=\'user\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^users/(?P&lt;username&gt;[A-Za-z0-9@_\\-\\.]+)/infobox/$\n [name=\'user-infobox\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^groups/$\n [name=\'all-groups\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^groups/(?P&lt;name&gt;[A-Za-z0-9_-]+)/$\n [name=\'group\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^groups/(?P&lt;name&gt;[A-Za-z0-9_-]+)/members/$\n [name=\'group_members\']\n \n </li>\n \n <li>\n \n ^\n \n \n ^account/logout/$\n [name=\'logout\']\n \n </li>\n \n </ol>\n <p>The current URL, <code>api/users/quit()/</code>, didn\'t match any of these.</p>\n \n </div>\n\n <div id="explanation">\n <p>\n You\'re seeing this error because you have <code>DEBUG = True</code> in\n your Django settings file. Change that to <code>False</code>, and Django\n will display a standard 404 page.\n </p>\n </div>\n</body>\n</html>\n'
Traceback (most recent call last):
  ...
    rb_client.get_root().get_user(username=u)
File "/Library/Python/2.7/site-packages/rbtools/api/resource.py", line 441, in <lambda>
    self._get_template_request(url, **kwargs)))
File "/Library/Python/2.7/site-packages/rbtools/api/decorators.py", line 24, in request_method
    *args, **kwargs)
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 54, in execute_request_method
    return self._execute_request(request)
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 63, in _execute_request
    rsp = self.server.make_request(request)
File "/Library/Python/2.7/site-packages/rbtools/api/request.py", line 414, in make_request
    self.process_error(e.code, e.read())
File "/Library/Python/2.7/site-packages/rbtools/api/request.py", line 390, in process_error
    raise APIError(http_status, None, None, data)
rbtools.api.errors.APIError: HTTP 404


It looks like Django has actually shut down.

Subsequent attempts to query reviewboard at all will look like:

Traceback (most recent call last):
...
outgoing_review_query = rb_client.get_root().get_review_requests(status='pending', from_user=from_user) File "/Library/Python/2.7/site-packages/rbtools/api/client.py", line 16, in get_root
    return self._transport.get_root(*args, **kwargs)
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 35, in get_root
    return self._execute_request(HttpRequest(self.server.url))
File "/Library/Python/2.7/site-packages/rbtools/api/transport/sync.py", line 63, in _execute_request
    rsp = self.server.make_request(request)
File "/Library/Python/2.7/site-packages/rbtools/api/request.py", line 416, in make_request
    raise ServerInterfaceError("%s" % e.reason)
rbtools.api.errors.ServerInterfaceError: [Errno 60] Operation timed out


What operating system are you using? What browser?

ReviewBoard is running on Ubuntu. I am running RBTools from a Mac running OSX.

Please provide any additional information below.


--
You received this message because this project is configured to send all issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at http://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to