Skip to content

bpo-43223: [SECURITY] Patched Open Redirection In SimpleHTTPServer Module#24848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hamzaavvan wants to merge 1 commit into from
Closed

bpo-43223: [SECURITY] Patched Open Redirection In SimpleHTTPServer Module #24848

hamzaavvan wants to merge 1 commit into from

Conversation

@hamzaavvan
Copy link

@hamzaavvanhamzaavvan commented Mar 13, 2021
edited
Loading

Due to no protection against multiple (/) at the beginning of a url an attacker could achieve an open redirection by crafting a malformed URI followed by an existing directory.

Payload: http://127.0.0.1:8000//attacker.com/..%2f..%2f../anyexistingdirectory

The main reason behind open redirection is that there's no (/) at the end of anyexistingdirectory because the server is checking for the path supplied is a valid directory at send_head() method from Lib/http/server.py. Right after that, it's checking for the path ending with a (/) or not. So, if there's no (/) at the end of the path then the server will issue a Location header to redirect the web client to that specific directory.

While issuing the redirection, this part //attacker.com/..%2f..%2f../anyexistingdirectory will be sent to the Location header's value due to which any web client or browser will consider it as a new url because of multiple (/) at the beginning of the path.

So to mitigate this issue I decided to use regex to replace all the occurrences of (/) from the beginning of the path.

self.path=re.sub(r'(^(/|\\)+)', '/', self.path)

This regex will replace multiple entries (if present) of (/) or (\) from the beginning of the path. So that the path would be:

  1. //attacker.com/..%2f..%2f../anyexistingdirectory -> /attacker.com/..%2f..%2f../anyexistingdirectory
  2. //\attacker.com/..%2f..%2f../anyexistingdirectory -> /attacker.com/..%2f..%2f../anyexistingdirectory
  3. \//\attacker.com/..%2f..%2f../anyexistingdirectory -> /attacker.com/..%2f..%2f../anyexistingdirectory

And according to these test cases there was no redirection issued from the server after implementing the fix.

https://bugs.python.org/issue43223

@hamzaavvanhamzaavvan changed the title bpo-43223: Patched Open Redirection In SimpleHTTPServer Modulebpo-43223: [SECURITY] Patched Open Redirection In SimpleHTTPServer ModuleMar 13, 2021
vstinner
vstinner reviewed Mar 16, 2021
View reviewed changes
@hamzaavvanhamzaavvanforce-pushed the fix-issue-43223 branch 2 times, most recently from e2137b6 to 403490cCompareMarch 16, 2021 17:42
vstinner
vstinner reviewed Mar 16, 2021
View reviewed changes
@hamzaavvanhamzaavvanforce-pushed the fix-issue-43223 branch 3 times, most recently from f61138a to 0fe6eedCompareMarch 16, 2021 18:09
vstinner
vstinner reviewed Mar 18, 2021
View reviewed changes
Copy link
Member

@vstinnervstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please try to write an unit test?

@github-actions
Copy link

github-actionsbot commented Apr 18, 2021

This PR is stale because it has been open for 30 days with no activity.

@github-actionsgithub-actionsbot added the stale Stale PR or inactive for long period of time. label Apr 18, 2021
@hamzaavvan
Copy link
Author

hamzaavvan commented May 6, 2021

Sorry I was busy with my other projects.
Will be pushing the test case shortly.

@hamzaavvan
Copy link
Author

hamzaavvan commented May 6, 2021

Since I'm new to writing test cases, please help me in correcting the code if something went wrong.

@github-actionsgithub-actionsbot removed the stale Stale PR or inactive for long period of time. label May 7, 2021
ned-deily
ned-deily reviewed May 7, 2021
View reviewed changes
@hamzaavvan
bpo-43223: Fix Open Redirection In http.server module
42eb552
Fix an open redirection vulnerability in the HTTP server when a URL contains ``//``. Added test case for bpo-43223 patch
@ned-deilyned-deily removed their request for review May 21, 2021 22:03
@hamzaavvan
Copy link
Author

hamzaavvan commented Jun 6, 2021

@vstinner please have a look at the unit test.

ambv
ambv requested changes Jul 12, 2021
View reviewed changes
Lib/test/test_http/test_http.py

def test_http_parse_request(self):
self.assertEqual(re.sub(r'^/+', '/', '//test.com'), '/test.com', '//test.com should be converted to a proper relative path')
self.assertEqual(re.sub(r'^/+', '/', '///test.com'), '/test.com', '///test.com should be converted to a proper relative path')
Copy link
Contributor

@ambvambvJul 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't test anything useful. It only checks that some regular expression matches two strings. Since your code change is in http.server, your test should execute the http.server path that you changed.

A good test should fail without your code change to http.server, and pass with your change.

Copy link
Author

@hamzaavvanhamzaavvanAug 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I've been away due to my workload. But now as I've got some spare time I can do it better. As I've already said earlier that I'm new to writing these test cases and after checking out your comment I'm still confused about your requirements

Can you please elaborate these two statements:

Since your code change is in http.server, your test should execute the http.server path that you changed.

and this one:

A good test should fail without your code change to http.server, and pass with your change.

Copy link
Contributor

@ambvambvAug 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hamzaavvan, to put it in the simplest terms:

  • on a clean checkout of the main branch, write a test that fails because it triggers the problem described in BPO-43223; this will prove we have a problem;
  • then include your fix to prove that the fix solved the problem.

The test will have to actually run the HTTP server to be useful.

@bedevere-bot
Copy link

bedevere-bot commented Jul 12, 2021

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@jhadvig
Copy link

jhadvig commented Apr 8, 2022

@hamzaavvan ping :)

@hamzaavvan
Copy link
Author

hamzaavvan commented Apr 8, 2022 via email

@hamzaavvanhamzaavvanmannequin mentioned this pull request Apr 10, 2022
Closed
@gpsheadgpshead mentioned this pull request Jun 15, 2022
Merged
@gpshead
Copy link
Member

gpshead commented Jun 15, 2022

This PR has been replaced by #93879

@gpsheadgpshead closed this Jun 15, 2022
@ibm-mend-appibm-mend-appbot mentioned this pull request Sep 17, 2025
Closed
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ambvambvambv requested changes

@ned-deilyned-deilyned-deily left review comments

@vstinnervstinnerAwaiting requested review from vstinner

Assignees

No one assigned

Labels

awaiting changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@hamzaavvan@bedevere-bot@jhadvig@gpshead@ambv@vstinner@ned-deily@the-knights-who-say-ni