[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
From: |
Orange Tsai |
Subject: |
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part |
Date: |
Tue, 7 Mar 2017 02:01:06 +0800 |
I am surprise that `http://address@hidden:address@hidden will connect to `
evil.com`, not `good.com`.
Most of URL parser will recognize `good.com` is host part. Like this
advisory, https://curl.haxx.se/docs/adv_20161102J.html
It seem more dangerous if a developer still rely on the result of parse URL
than my original report.
Some testing:
$ python try.py 'http://address@hidden:address@hidden/x'
Python scheme=http, address@hidden:address@hidden, port=
PHP scheme=http, host=127.2.2.2, port=
Perl scheme=http, host=127.2.2.2, port=80
Ruby2 scheme=http, host=127.2.2.2, port=
GO scheme=http, host=127.2.2.2, port=
Java scheme=http, host=, port=-1
JS scheme=http, host=127.2.2.2, port=null
But it seems also the same root cause and fixed at this patch. :)
By the way, would you mind that allocating a CVE-ID to address this?
2017-03-07 0:11 GMT+08:00 Eli Zaretskii <address@hidden>:
> > From: Tim Ruehsen <address@hidden>
> > Date: Mon, 06 Mar 2017 10:17:25 +0100
> > Cc: Orange Tsai <address@hidden>
> >
> > Thanks, just pushed a commit, not allowing control chars in host part.
>
> Hmm... is it really enough to reject only ASCII control characters?
> Maybe we should also reject control characters from other Unicode
> ranges? Just a thought.
>
--
- Orange -
Re: [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part, Dale R. Worley, 2017/03/06