[issue11671] Security hole in wsgiref.headers.Headers

2019-08-14 Thread Ashwin Ramaswami 


Change by Ashwin Ramaswami :


--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2019-08-14 Thread Ashwin Ramaswami 


Change by Ashwin Ramaswami :


--
pull_requests: +15022
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/15299

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2019-08-14 Thread Ashwin Ramaswami 


Change by Ashwin Ramaswami :


--
nosy: +epicfaace
versions: +Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2016-09-08 Thread Christian Heimes 

Changes by Christian Heimes :


--
assignee: pje -> 
versions: +Python 3.5, Python 3.6, Python 3.7 -Python 2.6, Python 3.1, Python 
3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-08-18 Thread Arfrever Frehtes Taifersar Arahesis 

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-08-17 Thread Christian Heimes 

Christian Heimes added the comment:

What do the RFCs for RFC-822 and HTTP 1.1 say about \r and \n in header names?

--
nosy: +christian.heimes

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-08-17 Thread Devin Cook 

Devin Cook added the comment:

It looks like it's allowed for header line continuation.

http://www.ietf.org/rfc/rfc2616.txt

HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream.

...

A CRLF is allowed in the definition of TEXT only as part of a header
field continuation. It is expected that the folding LWS will be
replaced with a single SP before interpretation of the TEXT value.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-25 Thread STINNER Victor 

STINNER Victor added the comment:

+if bad_header_value_re.search(_value):
+error_str = Bad header value: {0!r} (bad char: {1!r})
+raise AssertionError(error_str.format(
+_value, bad_header_value_re.search(_value).group(0)))

Why do you search the character twice? You can do something like:

match = bad_header_value_re.search(_value)
if match is not None:
  ... match..group(0) ...

Why do you only check value? You should also check _params:

parts = ; .join(parts)
match = bad_header_value_re.search(parts)
...

And you should also check the name.

Should we do the same checks in httplib?

--
nosy: +haypo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-25 Thread Devin Cook 

Changes by Devin Cook devin.c.c...@gmail.com:


Removed file: http://bugs.python.org/file29182/header_newlines.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-25 Thread Devin Cook 

Devin Cook added the comment:

The spec doesn't say anything about the header name. It probably should though, 
as the same issue exists there.

I used two searches because that's how it's done in wsgiref.validate, and it's 
not a huge deal to do that because the second one will only execute when 
there's an error. That said, I changed it to how you proposed.

Here's another stab at that patch.

--
Added file: http://bugs.python.org/file29238/header_newlines_tip.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-25 Thread Devin Cook 

Changes by Devin Cook devin.c.c...@gmail.com:


Removed file: http://bugs.python.org/file29192/header_newlines_2.7.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-25 Thread Devin Cook 

Changes by Devin Cook devin.c.c...@gmail.com:


Removed file: http://bugs.python.org/file29193/header_newlines_2.6.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-23 Thread Devin Cook 

Devin Cook added the comment:

Should now be compliant with this part of the spec:

Each header_value must not include any control characters, including carriage 
returns or linefeeds, either embedded or at the end. (These requirements are to 
minimize the complexity of any parsing that must be performed by servers, 
gateways, and intermediate response processors that need to inspect or modify 
response headers.)

--
keywords: +patch
nosy: +devin
Added file: http://bugs.python.org/file29182/header_newlines.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-23 Thread Devin Cook 

Devin Cook added the comment:

backported patch to 2.7

--
Added file: http://bugs.python.org/file29192/header_newlines_2.7.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2013-02-23 Thread Devin Cook 

Devin Cook added the comment:

backported patch to 2.6

--
Added file: http://bugs.python.org/file29193/header_newlines_2.6.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2011-06-01 Thread Terry J. Reedy 

Changes by Terry J. Reedy tjre...@udel.edu:


--
versions:  -Python 2.5

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2011-03-28 Thread Felix Gröbert 

Felix Gröbert groeb...@google.com added the comment:

If the spec forbids control characters in headers, the module should
enforce that.

The most frequent example of header injection is the redirect-case: an
application is forwarding using the Location header to a user-supplied
URL.
http://google.com/codesearch?as_q=self.redirect%5C%28self.request.get
Other examples are proxies, setting user-agent, or, as you mention,
custom set-cookies headers.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2011-03-25 Thread Éric Araujo 

Changes by Éric Araujo mer...@netwok.org:


--
assignee:  - pje
nosy: +pje
stage:  - needs patch
title: Potential misuse of wsgiref.headers.Headers - Security hole in 
wsgiref.headers.Headers
versions: +Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11671] Security hole in wsgiref.headers.Headers

2011-03-25 Thread Phillip J. Eby 

Phillip J. Eby p...@telecommunity.com added the comment:

 It is not uncommon that developers provide web applications
to the public in which the HTTP response headers are not filtered for
newlines but are controlled by the user.

Really?  Which applications, and which response headers?

 Therefore, I suggest to filter/warn/except header tuples which contain
the above characters upon assignment in wsgiref.headers.

Applications that send them are not WSGI compliant anyway, since the spec 
forbids control characters in header strings -- and wsgiref.validate already 
validates this.

Still, I'm not aware of any legitimate use case for apps sending user input as 
an HTTP header where the data wouldn't already be escaped in some fashion -- 
cookies, URLs, ...?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com