bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part


From: Orange Tsai
Subject: Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
Date: Tue, 7 Mar 2017 02:01:06 +0800

I am surprise that `http://address@hidden:address@hidden will connect to `
evil.com`, not `good.com`.
Most of URL parser will recognize `good.com` is host part. Like this
advisory, https://curl.haxx.se/docs/adv_20161102J.html
It seem more dangerous if a developer still rely on the result of parse URL
than my original report.

Some testing:
$ python try.py 'http://address@hidden:address@hidden/x'

Python scheme=http, address@hidden:address@hidden, port=
PHP scheme=http, host=127.2.2.2, port=
Perl scheme=http, host=127.2.2.2, port=80
Ruby2 scheme=http, host=127.2.2.2, port=
GO scheme=http, host=127.2.2.2, port=
Java scheme=http, host=, port=-1
JS scheme=http, host=127.2.2.2, port=null



But it seems also the same root cause and fixed at this patch. :)
By the way, would you mind that allocating a CVE-ID to address this?

2017-03-07 0:11 GMT+08:00 Eli Zaretskii <address@hidden>:

> > From: Tim Ruehsen <address@hidden>
> > Date: Mon, 06 Mar 2017 10:17:25 +0100
> > Cc: Orange Tsai <address@hidden>
> >
> > Thanks, just pushed a commit, not allowing control chars in host part.
>
> Hmm... is it really enough to reject only ASCII control characters?
> Maybe we should also reject control characters from other Unicode
> ranges?  Just a thought.
>



-- 
- Orange -


reply via email to

[Prev in Thread] Current Thread [Next in Thread]