Hi,
The Python bug tracker currently has 78 open issues of the type
Security. If you are looking for something to do to help the Python
project, please go through the list (search for open issues with
Type=security at bugs.python.org), discuss the different solutions how
to address these vulnerabilities, and maybe even propose a fix.
Here are some examples.
== tarfile ==
For example, the tarfile module has a known directory traversal
vulnerability (unsafe by default), whereas the GNU tar command is
fixed: the -P/--absolute-names option must be used explicitly to get
the unsafe behavior.
I suggest to make the Python tarfile module safe by default, and add
an option to allow absolute paths. Issue reported 7 years ago:
https://bugs.python.org/issue21109
== webbrowser ==
Another example, on Windows, the webbrowser seems be has a shell
command injection vulnerability, reported 2 years ago:
https://bugs.python.org/issue36021
== XML ==
Python XML parsers have at least two known vulnerabilities: "billion
laughs" and "quadratic blowup" which are documented:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities
The third party defusedxml module address these vulnerabilities:
https://pypi.org/project/defusedxml/
But Python remains unsafe by default, issue reported 8 years ago:
https://bugs.python.org/issue17239
== tempfile ==
The tempfile library does not check the prefix argument, which can be
exploited to create files outside tmpdir by using directory traversal.
Issue reported 3 years ago:
https://bugs.python.org/issue35278
The same issue was found and treated as a vulnerability in PHP
(CVE-2006-1494) and Ruby (CVE-2018-6914).
== Issues involving URLs ==
There are multiple issues involving URLs:
"ReDoS in urllib.request"
https://bugs.python.org/issue43075
"http.server: Open Redirection if the URL path starts with //"
https://bugs.python.org/issue43223
"urlparse of urllib returns wrong hostname"
https://bugs.python.org/issue36338
"[CVE-2015-2104] Urlparse insufficient validation leads to open redirect"
https://bugs.python.org/issue23505
"urlparse library detecting wrong hostname leads to open redirect vulnerability"
https://bugs.python.org/issue35748
"http.server can be abused to redirect to (almost) arbitrary URL"
https://bugs.python.org/issue32084
"urllib may leak sensitive HTTP headers to a third-party web site"
https://bugs.python.org/issue33661
"Unnecessary URL scheme exists to allow 'URL: reading file in urllib"
https://bugs.python.org/issue37820
"A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! "
https://bugs.python.org/issue32085
Happy hacking!
Victor
--
Night gathers, and now my watch begins. It shall not end until my death.
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/PHHQXJYDFWBIKBAHTVATHBL5DO3ER3BE/
Code of Conduct: http://python.org/psf/codeofconduct/
