[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Larry Hastings]

Change by Larry Hastings :


--
resolution:  -> fixed
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Larry Hastings]

Larry Hastings  added the comment:


New changeset 3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor 
Stinner) in branch '3.5':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516)
https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Dong-hee Na  added the comment:

> I prefer to keep it open until the 3.5 backport is merged.
Sorry, I didn't find it.
Yes, we should let it open until the PR is merged.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:

I prefer to keep it open until the 3.5 backport is merged.

--
resolution: fixed -> 
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Change by Dong-hee Na :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

Change by STINNER Victor :


--
pull_requests: +16106
pull_request: https://github.com/python/cpython/pull/16516

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:


New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner 
(Dong-hee Na) in branch '2.7':
[2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Ned Deily]

Ned Deily  added the comment:


New changeset 1698cacfb924d1df452e78d11a4bf81ae389 by Ned Deily (Victor 
Stinner) in branch '3.6':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae389


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Change by Dong-hee Na :


--
pull_requests: +16026
pull_request: https://github.com/python/cpython/pull/16447

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Dong-hee Na  added the comment:

Sure!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:

@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which 
also has the bug?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[miss-islington]

miss-islington  added the comment:


New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) 
in branch '3.8':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[miss-islington]

miss-islington  added the comment:


New changeset 39a0c730e31c6941a78da19b6a5b61170687 by Miss Islington (bot) 
in branch '3.7':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/39a0c730e31c6941a78da19b6a5b61170687


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

Change by STINNER Victor :


--
pull_requests: +16020
pull_request: https://github.com/python/cpython/pull/16441

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[miss-islington]

Change by miss-islington :


--
pull_requests: +16019
pull_request: https://github.com/python/cpython/pull/16440

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[miss-islington]

Change by miss-islington :


--
pull_requests: +16018
pull_request: https://github.com/python/cpython/pull/16439

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:


New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner 
(Dong-hee Na) in branch 'master':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Dong-hee Na  added the comment:

@vstinner

Thank you for the feedback.
I've updated the PR with the unit test you suggested :-)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:

> I've proposed the patch on GitHub which escaping the server_title when the 
> documenter.page is called. (It different point with msg353132.

The attached poc.py seems to show that server name and server documentation are 
not escaped neither.

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

STINNER Victor  added the comment:

> Thanks for the report. There is a policy to report security vulnerabilities 
> in CPython : https://www.python.org/news/security/.

The private security mailing list has been contacted first and we advice to 
open a public issue since we consider that it's not a major security issue.

To exploit this bug, the attacker has to control the XML-RPC server title.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Dong-hee Na  added the comment:

I've proposed the patch on GitHub which escaping the server_title when the 
documenter.page is called. (It different point with msg353132.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Change by Dong-hee Na :


--
keywords: +patch
pull_requests: +15953
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/16373

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Dong-hee Na  added the comment:

Looks like this issue can be solved by below code changed.

@@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
 def set_server_title(self, server_title):
 """Set the HTML title of the generated server documentation"""

-self.server_title = server_title
+self.server_title = html.escape(server_title)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Dong-hee Na]

Change by Dong-hee Na :


--
nosy: +corona10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[STINNER Victor]

Change by STINNER Victor :


--
nosy: +mdk, vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Ned Deily]

Change by Ned Deily :


--
keywords: +security_issue
priority: normal -> high
versions: +Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[Karthikeyan Singaravelan]

Karthikeyan Singaravelan  added the comment:

Thanks for the report. There is a policy to report security vulnerabilities in 
CPython : https://www.python.org/news/security/.

--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py

[longwenzhang]

New submission from longwenzhang :

It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

Steps to reproduce:

1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class 
ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as 
<," etc).
2.But it only escape the content from server.set_server_name() and 
server.set_server_documentation(),the "title" content from the 
server.set_server_title() will not be escaped, so if I 
set_server_title('123alert(1)'), it will cause XSS 
because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the 
poc.py（run in python2.7） in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return 
documenter.page(self.server_title,documentation)".Before this line,variable 
"documentation" has been escaped but self.server_title not.This is the main 
cause.

--
components: Library (Lib)
files: poc.py
messages: 352921
nosy: longwenzhang
priority: normal
severity: normal
status: open
title: A reflected XSS in python/Lib/DocXMLRPCServer.py
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file48619/poc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com