[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Devin Cook added the comment: > Correct me if I'm wrong, but the "well-maintained pyOpenSSL > package" doesn't have the missing functionality (hostname > checking in server certificates), either. I'm pretty sure it's just a wrapper around the openssl library, which does not include it. That was Bill Janssen's argument for why the ssl module shouldn't do that verification. Well, that and the fact that there's no finalized standard for it yet. I believe this is the latest draft: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09 -- ___ Python tracker <http://bugs.python.org/issue1589> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Devin Cook added the comment: I think it looks good except for the wildcard checking. According to the latest draft of that TLS id-checking RFC, you aren't supposed to allow the wildcard as part of a fragment. Of course this contradicts RFC 2818. http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3 If this gets accepted, I'll submit a patch to http.client and urllib that makes use of it. -- ___ Python tracker <http://bugs.python.org/issue1589> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Devin Cook added the comment: > I'm also assuming RFC 2818 is in wider use than the id-checking draft; > am I wrong? Yeah, since RFC 2818 has been accepted since 2000 and the id-checking draft was started in 2009, I'd say it's a safe bet. I'm in no way authoritative though. -- ___ Python tracker <http://bugs.python.org/issue1589> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8998] add crypto routines to stdlib
Devin Cook added the comment: It sounds like you may already have an idea of how you want the API structured, but just in case you're still thinking about it here's another API to look at that I think focuses on exactly what you were highlighting as priorities (sane defaults, easy to use): keyczar. I use keyczar quite a bit and really like it, although I tend to only use the key classes directly instead of using the generic "Crypter" etc. classes. http://code.google.com/p/keyczar/ -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue8998> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Devin Cook added the comment: It looks like it's allowed for header line continuation. http://www.ietf.org/rfc/rfc2616.txt HTTP/1.1 header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. All linear white space, including folding, has the same semantics as SP. A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream. ... A CRLF is allowed in the definition of TEXT only as part of a header field continuation. It is expected that the folding LWS will be replaced with a single SP before interpretation of the TEXT value. -- ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue672656] securing pydoc server
Devin Cook added the comment: It looks like this bug was reintroduced in a5a3ae9be1fb. -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue672656> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22419] wsgiref request length
New submission from Devin Cook: BaseHTTPRequestHandler limits request length to prevent DoS. WSGIRequestHandler should probably do the same. See: http://bugs.python.org/issue10714 -- components: Library (Lib) files: wsgiref_request_length.patch keywords: patch messages: 226931 nosy: devin priority: normal severity: normal status: open title: wsgiref request length type: security Added file: http://bugs.python.org/file36626/wsgiref_request_length.patch ___ Python tracker <http://bugs.python.org/issue22419> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22421] securing pydoc server
New submission from Devin Cook: Several years ago a patch was applied to set the default binding of the pydoc server to "localhost" instead of "0.0.0.0". It appears that the issue was reintroduced in a5a3ae9be1fb. See previous issue: http://bugs.python.org/issue672656 $ ./python -m pydoc -b Server ready at http://localhost:35593/ Server commands: [b]rowser, [q]uit server> --- $ netstat -lnp | grep python tcp0 0 0.0.0.0:35593 0.0.0.0:* LISTEN 2780/python As a sidenote, I'm not sure why the localhost lookup breaks the test case on my linux machine, but it does. -- components: Library (Lib) files: pydoc_server_addr.patch keywords: patch messages: 226935 nosy: devin priority: normal severity: normal status: open title: securing pydoc server type: security Added file: http://bugs.python.org/file36628/pydoc_server_addr.patch ___ Python tracker <http://bugs.python.org/issue22421> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue672656] securing pydoc server
Devin Cook added the comment: Sure, thanks. New issue: http://bugs.python.org/issue22421 -- ___ Python tracker <http://bugs.python.org/issue672656> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11259] asynchat does not check if terminator is negative integer
Changes by Devin Cook : Removed file: http://bugs.python.org/file29202/asynchat_tip.patch ___ Python tracker <http://bugs.python.org/issue11259> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11259] asynchat does not check if terminator is negative integer
Devin Cook added the comment: updating the patch to the current tip -- Added file: http://bugs.python.org/file34310/asynchat_tip.patch ___ Python tracker <http://bugs.python.org/issue11259> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Changes by Devin Cook : -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue1589> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Devin Cook added the comment: Should now be compliant with this part of the spec: "Each header_value must not include any control characters, including carriage returns or linefeeds, either embedded or at the end. (These requirements are to minimize the complexity of any parsing that must be performed by servers, gateways, and intermediate response processors that need to inspect or modify response headers.)" -- keywords: +patch nosy: +devin Added file: http://bugs.python.org/file29182/header_newlines.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Devin Cook added the comment: backported patch to 2.7 -- Added file: http://bugs.python.org/file29192/header_newlines_2.7.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Devin Cook added the comment: backported patch to 2.6 -- Added file: http://bugs.python.org/file29193/header_newlines_2.6.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Devin Cook : -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue12226> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11259] asynchat does not check if terminator is negative integer
Devin Cook added the comment:
I agree that this is probably a bug, but can't think of any instances where
this in itself would cause a security issue. By sending something like a
negative Content-Length, you do indeed get data returned that doesn't really
match the data sent on the wire. If you're able to manipulate the
Content-Length, though, instead of sending a negative value num, you could
instead send len(data) + num.
Here's a simple example I was able to come up with:
Server reads data and runs "echo -n > {data}" (or any write the file specified
in "data").
Client is supposed to send Content-Length, then that many bytes, expected to be
a file that should be written to.
Client instead sends "-4\n/etc/passwd.bak".
Server runs "echo -n > /etc/passwd".
So that's certainly unexpected bahavior. However, this is a fairly low-level
module, and doesn't actually do anything with the data it collects. That's left
to the subclass, and subclasses should be responsible for validating any data
read off the wire before using it.
Attached is a patch to tip, including a new test case.
--
nosy: +devin
type: security -> behavior
Added file: http://bugs.python.org/file29202/asynchat_tip.patch
___
Python tracker
<http://bugs.python.org/issue11259>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue10340] asyncore doesn't properly handle EINVAL on OSX
Devin Cook added the comment: This looks resolved. Can it be closed? -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue10340> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16632] Enable DEP and ASLR
Changes by Devin Cook : -- nosy: +devin ___ Python tracker <http://bugs.python.org/issue16632> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Changes by Devin Cook : Removed file: http://bugs.python.org/file29182/header_newlines.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Devin Cook added the comment: The spec doesn't say anything about the header name. It probably should though, as the same issue exists there. I used two searches because that's how it's done in wsgiref.validate, and it's not a huge deal to do that because the second one will only execute when there's an error. That said, I changed it to how you proposed. Here's another stab at that patch. -- Added file: http://bugs.python.org/file29238/header_newlines_tip.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Changes by Devin Cook : Removed file: http://bugs.python.org/file29192/header_newlines_2.7.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11671] Security hole in wsgiref.headers.Headers
Changes by Devin Cook : Removed file: http://bugs.python.org/file29193/header_newlines_2.6.patch ___ Python tracker <http://bugs.python.org/issue11671> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
