[issue35774] ASAN, memory leak
New submission from Dhiraj : Hi Team, I have compiled cpython via clang using ASAN and memory leak was observed. After successful build of python, 1. Run python 2. Ctrl + D ==21461==ERROR: LeakSanitizer: detected memory leaks Direct leak of 257790 byte(s) in 93 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x644d77 in PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:640:12 Direct leak of 1640 byte(s) in 3 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x644d77 in PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:640:12 #4 0x96cea4 in _PyObject_GC_Malloc /home/input0/Desktop/cpython/Modules/gcmodule.c:1908:12 #5 0x96cea4 in _PyObject_GC_NewVar /home/input0/Desktop/cpython/Modules/gcmodule.c:1937 Direct leak of 663 byte(s) in 1 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x644d77 in PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:640:12 #4 0x8b9dd8 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1362:20 #5 0x8b84a5 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1194:18 #6 0x8b9e09 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1365:22 #7 0x8bf86a in read_object /home/input0/Desktop/cpython/Python/marshal.c:1451:9 #8 0x8bf86a in marshal_loads_impl /home/input0/Desktop/cpython/Python/marshal.c:1763 #9 0x8bf86a in marshal_loads /home/input0/Desktop/cpython/Python/clinic/marshal.c.h:158 #10 0x564da7 in _PyMethodDef_RawFastCallKeywords /home/input0/Desktop/cpython/Objects/call.c Direct leak of 579 byte(s) in 1 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x644d77 in PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:640:12 #4 0x8b9dd8 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1362:20 #5 0x8b84a5 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1194:18 #6 0x8b9e09 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1365:22 #7 0x8b84a5 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1194:18 #8 0x8b9e09 in r_object /home/input0/Desktop/cpython/Python/marshal.c:1365:22 #9 0x8b409d in PyMarshal_ReadObjectFromString /home/input0/Desktop/cpython/Python/marshal.c:1568:14 #10 0x8a0d81 in get_frozen_object /home/input0/Desktop/cpython/Python/import.c:1277:12 #11 0x8a0d81 in _imp_get_frozen_object_impl /home/input0/Desktop/cpython/Python/import.c:2036 #12 0x8a0d81 in _imp_get_frozen_object /home/input0/Desktop/cpython/Python/clinic/import.c.h:198 #13 0x5623eb in _PyCFunction_FastCallDict /home/input0/Desktop/cpython/Objects/call.c:584:14 #14 0x5623eb in PyCFunction_Call /home/input0/Desktop/cpython/Objects/call.c:789 Direct leak of 536 byte(s) in 1 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x6403b0 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x6403b0 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x6403b0 in pymalloc_realloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1869 #4 0x6403b0 in _PyObject_Realloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1888 #5 0x644ead in PyObject_Realloc /home/input0/Desktop/cpython/Objects/obmalloc.c:658:12 Indirect leak of 15640 byte(s) in 17 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59 in _PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:1550 #3 0x644d77 in PyObject_Malloc /home/input0/Desktop/cpython/Objects/obmalloc.c:640:12 #4 0x675f9a in PyType_GenericAlloc /home/input0/Desktop/cpython/Objects/typeobject.c:975:15 Indirect leak of 7440 byte(s) in 7 object(s) allocated from: #0 0x4f1460 in malloc (/home/input0/Desktop/cpython/python+0x4f1460) #1 0x63fc59 in PyMem_RawMalloc /home/input0/Desktop/cpython/Objects/obmalloc.c:527:12 #2 0x63fc59
[issue34209] racecondition
New submission from Dhiraj : File: /cpython/blob/master/Modules/posixmodule.c#L2657 #endif result = access(path->narrow, mode); Py_END_ALLOW_THREADS return_value = !result; #endif If an attacker could change anything along the path between the call `access()` and the files actually used, it may exploit the race condition or a time-of-check, time-of-use race condition https://linux.die.net/man/2/access -- components: Build messages: 322305 nosy: Dhiraj_Mishra priority: normal severity: normal status: open title: racecondition type: security versions: Python 2.7 ___ Python tracker <https://bugs.python.org/issue34209> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29385] Sockets Crashes or Memory Corruption
New submission from Dhiraj: When Python Server receives a string of '/xff' (5 or more) from a page after completing a handshake, the tab immediately crashes. There are variations of this string with other characters mixed in that also cause an immediate close of python server. To reproduce: 1. Run the websockets.py server 2. Then open websockets.html in browser The PY server gets Close/Crash -- components: Windows files: REPRO.ZIP messages: 286429 nosy: Dhiraj_Mishra, paul.moore, steve.dower, tim.golden, zach.ware priority: normal severity: normal status: open title: Sockets Crashes or Memory Corruption versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7 Added file: http://bugs.python.org/file46448/REPRO.ZIP ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29385> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27502] Python -m Module Vulnerable to Buffer Over Flow.
Dhiraj added the comment: Sorry , for replying to late , But yes if the script is run , again and again the application throws the python error and the Server gets crashed. I request to have a look on it. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27502> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27502] Python -m Module Vulnerable to Buffer Over Flow.
New submission from Dhiraj: Hello Sir , The Module of Python " -m SimpleHTTPServer " is vulnerable to Buffer Over Flow. Step : I have prepared a python script which is sending more than 5000+ Values to the Module in GET Method , and as soon as , I run that Script , the Python -m SimpleHTTPServer which is running on the Victim's system Generator’s a huge Line or Error where as Exception handling is not done Proper , as if the Server do not get crash , but if the fuzzing script is run again and again it gets Crashed , and Buffer Over Flow is been Taken place. In our Scenario Kali Linux machine is victims system running the server module and Linux Mint is sending the fuzzing script. Please have a look on the POC below. I ll be happy to hear from the team. Thank You -- files: POC-Python.zip messages: 270264 nosy: DhirajMishra priority: normal severity: normal status: open title: Python -m Module Vulnerable to Buffer Over Flow. type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6 Added file: http://bugs.python.org/file43699/POC-Python.zip ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27502> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Changes by Dhiraj <mishra.dhira...@gmail.com>: -- resolution: duplicate -> fixed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26039] More flexibility in zipfile interface
Dhiraj added the comment: Please ha Look on issue 11980 http://bugs.python.org/issue11980 Already have been Patched -- nosy: +DhirajMishra ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Dhiraj added the comment: Even the IDLE of Python is Vulnerable to CGI.ESCAPE() Please have a look on attachments , I hope this would be Patch Soon. Thank You -- nosy: +dstufft, gregory.p.smith type: -> security Added file: http://bugs.python.org/file42013/Python-IDLE-CGI-Vulnerable.png ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Dhiraj added the comment: Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly cgi.escape() should have a Pr-define value " quote = True " which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application. Thank You -- Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Dhiraj added the comment: Hello @martin.panter okay But still the module cgi.escape() Vulnerable if the Python Docs have created a new html.escape so you might remove the cgi.escape() or Implement the quote = True in cgi.escape() Predefine as its in html.escape because Developer mostly use CGI. Its an Humble request , I hope I did well. Thank You martin.panter -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26398] cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities
New submission from Dhiraj: The Pre-defined Module cgi.escape() can lead to XSS or HTMLi in every Version of Python. Example : import cgi test = "Vulnerable" cgi.escape(test) Works Properly all the Charters are escape properly but , Example 2: import cgi test2 = ' " ' cgi.escape(test2) Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi Please find the Attachments Below (PFA) The Python Security Expert says : " - The behavior of the cgi.escape() function is not a bug. It works exactly as documented in the Python documentation, https://docs.python.org/2/library/cgi.html#cgi.escape - By default the cgi.escape() function only escapes the three chars '<', '>' and '&'. The double quote char '"' is not quoted unless you cann cgi.escape() with quote=True. The default mode is suitable for escaping blocks of text that may contain HTML." He says that if the quote = True then its not Vulnerable. Example : cgi.escape('""', quote=True) But Many Websites Developers and many popular Companies forget to implement the quote = True function and this may cause XSS and HTMLi According to me there should be a Predefine value in cgi.escape() which makes quote = True , then it will not be Vulnerable. I hope this will be patched soon and will be Updated. Thank You (PFA) Dhiraj Mishra Bug -- assignee: docs@python components: Documentation files: CGI.ESCAPE_2.png messages: 260600 nosy: DhirajMishra, docs@python priority: normal severity: normal status: open title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities versions: Python 3.6 Added file: http://bugs.python.org/file41982/CGI.ESCAPE_2.png ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com