On 2018-06-07 22:46, Chris Angelico wrote: > On Thu, Jun 7, 2018 at 10:18 PM, Steven D'Aprano > >>>> 3. http://localhost:8000/te%00st.html > >>> Actually, I couldn't even get Chrome to make that request, so it > >>> obviously was considered by the browser to be invalid.
It doesn't matter whether Chrome or Firefox can make the request if it can be made by opening the socket yourself with something as simple as $ telnet example.com 80 GET /te%00st.html HTTP/1.1 Host: example.com If that crashes the server, it's a problem, even if browsers try to prevent it from happening by accident. >> It works in Firefox, but Apache truncates the URL: >> >> Not Found >> The requested URL /te was not found on this server. >> >> instead of te%00st.html This is a sensible result, left up to each server to decide what to do. >> I wonder how many publicly facing web servers can be induced to >> either crash, or serve the wrong content, this way? I'm sure there are plenty. I mean, I discovered this a while back https://mail.python.org/pipermail/python-list/2016-August/713373.html and that's Microsoft running their own stack. They seem to have fixed that issue at that particular set of URLs, but a little probing has turned it up elsewhere at microsoft.com since (for the record, the first set of non-existent URLs return 404-not-found errors while the second set of reserved filename URLs return 500-Server-Internal-Error pages). Filename processing is full of sharp edge-cases. > Define "serve the wrong content". You could get the exact same > content by asking for "te" instead of "te%00st.html"; what you've > done is not significantly different from this: > > http://localhost:8000/te?st.html > > Is that a security problem too? Depending on the server, it might allow injection for something like http://example.com/page%00cat+/etc/passwd Or it might allow the request to be processed in an attack, but leave the log files without the details: GET /innocent%00malicious_payload (where only the "/innocent" gets logged) Or false data could get injected in log files http://example.com/innocent%00%0a23.200.89.180+-+-+%5b07/Jun/2018%3a13%3a55%3a36+-0700%5d+%22GET+/nasty_porn.mov+HTTP/1.0%22+200+2326 (`host whitehouse.gov` = 23.200.89.180) It all depends on the server and how the request is handled. -tkc -- https://mail.python.org/mailman/listinfo/python-list
