STINNER Victor <vstin...@redhat.com> added the comment:
Oh, I didn't recall that this issue (this class of security vulnerabilities) has a so old history. I found *A LOT* of similar open issues. Here are my notes. Maybe most open issues should be closed as duplicate of this one to clarify the status of urllib in Python? :-) Emails: * 2019: https://mail.python.org/pipermail/python-dev/2019-April/157014.html * 2017: https://mail.python.org/pipermail/python-dev/2017-July/148699.html Open issues: * 2011, bpo-13359: "urllib2 doesn't escape spaces in http requests" Not marked as a security issue. * 2012, bpo-14826: "urlopen URL with unescaped space" Fix using quote(self.__original, safe="%/:=&?~#+!$,;'@()*[]|") ... and the changed has then be reverted because it broke buildbots. Still open. * 2013, bpo-17322: "urllib.request add_header() currently allows trailing spaces (and other weird stuff)" Not marked as a security issue. * 2014, bpo-22928: "HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)" Marked as fixed, but user Orange explained in the first comment of in bpo-30458 that the fix is incomplete. * 2017, bpo-30458: "[CVE-2019-9740][security] CRLF Injection in httplib" (this issue) * 2017, bpo-32085: "[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!" * 2019, bpo-35906: "[CVE-2019-9947] Header Injection in urllib" (another CVE!) Closed issues: * 2004, bpo-918368: "urllib doesn't correct server returned urls" (urllib) FIXED BY: commit 7c2867fcb1ade429a41e030585332ea26e3f60e1 Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]") * 2005, bpo-1353433: "Http redirection error in urllib2.py" (urllib2) FIXED BY: commit ddb84d7c69addc5d5e2ab3e327260d97b52af3a7 Fix: newurl = newurl.replace(' ', '%20') * 2005, bpo-1153027: "http_error_302() crashes with 'HTTP/1.1 400 Bad Request" FIXED BY: commit 690ce9b353bc0a86d0886470adbaa50e813de3b8 (Lib/urllib/request.py) Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]") * bpo-29606: "urllib FTP protocol stream injection" Duplicate of bpo-30119. * bpo-30119: "(ftplib) A remote attacker could possibly attack by containing the newline characters" FIXED BY: commmit 8c2d4cf092c5f0335e7982392a33927579c4d512 Fix: reject "\r" and "\n" in FTP.putline() (Lib/ftplib.py) * bpo-36276: "[CVE-2019-9740] Python urllib CRLF injection vulnerability" Closed as duplicate of bpo-30458 Rejected pull requests: * https://github.com/python/cpython/pull/1216/files bpo-29606: Reject "\n" in ftp_open() of Lib/urllib/request.py * https://github.com/python/cpython/pull/2800/files bpo-29606: Reject "\n" in ftp_open() and open_ftp() of Lib/urllib/request.py * https://github.com/python/cpython/pull/2301/files bpo-30713: The splittype(), splitport() and splithost() functions of the urllib.parse module now reject URLs which contain a newline character. * https://github.com/python/cpython/pull/2303/files bpo-30713: The splittype(), splitport() and splithost() functions of the urllib.parse module now reject URLs which contain a newline character, but splittype() accepts newlines after the type. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue30458> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
