Devin Cook added the comment:
I agree that this is probably a bug, but can't think of any instances where
this in itself would cause a security issue. By sending something like a
negative Content-Length, you do indeed get data returned that doesn't really
match the data sent on the wire. If you're able to manipulate the
Content-Length, though, instead of sending a negative value num, you could
instead send len(data) + num.
Here's a simple example I was able to come up with:
Server reads data and runs "echo -n > {data}" (or any write the file specified
in "data").
Client is supposed to send Content-Length, then that many bytes, expected to be
a file that should be written to.
Client instead sends "-4\n/etc/passwd.bak".
Server runs "echo -n > /etc/passwd".
So that's certainly unexpected bahavior. However, this is a fairly low-level
module, and doesn't actually do anything with the data it collects. That's left
to the subclass, and subclasses should be responsible for validating any data
read off the wire before using it.
Attached is a patch to tip, including a new test case.
----------
nosy: +devin
type: security -> behavior
Added file: http://bugs.python.org/file29202/asynchat_tip.patch
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue11259>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
