➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2019-09-21 02:17 bylongwenzhang, last changed2022-04-11 14:59 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc.py | longwenzhang,2019-09-21 02:17 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 16373 | merged | corona10,2019-09-25 04:23 | |
| PR 16439 | merged | miss-islington,2019-09-27 20:00 | |
| PR 16440 | merged | miss-islington,2019-09-27 20:00 | |
| PR 16441 | merged | vstinner,2019-09-27 20:03 | |
| PR 16447 | merged | corona10,2019-09-28 01:20 | |
| PR 16516 | merged | vstinner,2019-10-01 10:59 | |
| Messages (19) | |||
|---|---|---|---|
| msg352921 -(view) | Author: longwenzhang (longwenzhang)* | Date: 2019-09-21 02:17 | |
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.Steps to reproduce:1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.3.I see the alert in Chrome by visitinghttp://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.4.Problems seems to be athttps://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause. | |||
| msg352922 -(view) | Author: Karthikeyan Singaravelan (xtreak)* | Date: 2019-09-21 04:25 | |
Thanks for the report. There is a policy to report security vulnerabilities in CPython :https://www.python.org/news/security/. | |||
| msg353132 -(view) | Author: Dong-hee Na (corona10)* | Date: 2019-09-25 02:08 | |
Looks like this issue can be solved by below code changed.@@ -833,7 +834,7 @@ class XMLRPCDocGenerator: def set_server_title(self, server_title): """Set the HTML title of the generated server documentation"""- self.server_title = server_title+ self.server_title = html.escape(server_title) | |||
| msg353140 -(view) | Author: Dong-hee Na (corona10)* | Date: 2019-09-25 04:40 | |
I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point withmsg353132. | |||
| msg353169 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-09-25 11:00 | |
> Thanks for the report. There is a policy to report security vulnerabilities in CPython :https://www.python.org/news/security/.The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.To exploit this bug, the attacker has to control the XML-RPC server title. | |||
| msg353170 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-09-25 11:01 | |
> I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point withmsg353132.The attached poc.py seems to show that server name and server documentation are not escaped neither.server.set_server_name('test<script>')server.set_server_documentation('test<script>')Well, please write a test to check that ;-) | |||
| msg353301 -(view) | Author: Dong-hee Na (corona10)* | Date: 2019-09-26 13:17 | |
@vstinnerThank you for the feedback.I've updated the PR with the unit test you suggested :-) | |||
| msg353395 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-09-27 19:59 | |
New changesete8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master':bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa | |||
| msg353403 -(view) | Author: miss-islington (miss-islington) | Date: 2019-09-27 20:18 | |
New changeset39a0c7555530e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7':bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687 | |||
| msg353404 -(view) | Author: miss-islington (miss-islington) | Date: 2019-09-27 20:19 | |
New changeset6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8':bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 | |||
| msg353407 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-09-27 20:27 | |
@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug? | |||
| msg353418 -(view) | Author: Dong-hee Na (corona10)* | Date: 2019-09-27 21:49 | |
Sure! | |||
| msg353440 -(view) | Author: Ned Deily (ned.deily)* | Date: 2019-09-28 07:33 | |
New changeset1698cacfb924d1df452e78d11a4bf81ae7777389 by Ned Deily (Victor Stinner) in branch '3.6':bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389 | |||
| msg353668 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-10-01 10:58 | |
New changeset8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7':[2.7]bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89 | |||
| msg353677 -(view) | Author: STINNER Victor (vstinner)* | Date: 2019-10-01 11:51 | |
I prefer to keep it open until the 3.5 backport is merged. | |||
| msg353689 -(view) | Author: Dong-hee Na (corona10)* | Date: 2019-10-01 12:21 | |
> I prefer to keep it open until the 3.5 backport is merged.Sorry, I didn't find it.Yes, we should let it open until the PR is merged. | |||
| msg355614 -(view) | Author: Larry Hastings (larry)* | Date: 2019-10-29 05:40 | |
New changeset3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor Stinner) in branch '3.5':bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516)https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de | |||
| msg361819 -(view) | Author: STINNER Victor (vstinner)* | Date: 2020-02-11 14:36 | |
CVE-2019-16935 has been assigned to this vulnerability. | |||
| msg364855 -(view) | Author: STINNER Victor (vstinner)* | Date: 2020-03-23 14:58 | |
Charalampos Strataris's advice: If you backport the security fix and test_docxmlrpc starts to hang randomly, you should also backportbpo-27614 fix. For example, it's the commit3911d8333c5b6f9374fa11ab7c912f1471580f0f for Python 2.7. We had the issue on RHEL 7. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:20 | admin | set | github: 82424 |
| 2020-03-23 14:58:02 | vstinner | set | messages: +msg364855 |
| 2020-02-11 14:36:14 | vstinner | set | messages: +msg361819 title: A reflected XSS in python/Lib/DocXMLRPCServer.py -> [security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py |
| 2019-10-29 05:43:00 | larry | set | status: open -> closed resolution: fixed |
| 2019-10-29 05:40:18 | larry | set | nosy: +larry messages: +msg355614 |
| 2019-10-01 12:21:52 | corona10 | set | messages: +msg353689 |
| 2019-10-01 11:51:17 | vstinner | set | status: closed -> open resolution: fixed -> (no value) messages: +msg353677 |
| 2019-10-01 11:28:39 | corona10 | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2019-10-01 10:59:41 | vstinner | set | pull_requests: +pull_request16106 |
| 2019-10-01 10:58:04 | vstinner | set | messages: +msg353668 |
| 2019-09-28 07:33:05 | ned.deily | set | nosy: +ned.deily messages: +msg353440 |
| 2019-09-28 01:20:27 | corona10 | set | pull_requests: +pull_request16026 |
| 2019-09-27 21:49:22 | corona10 | set | messages: +msg353418 |
| 2019-09-27 20:27:01 | vstinner | set | messages: +msg353407 |
| 2019-09-27 20:19:44 | miss-islington | set | messages: +msg353404 |
| 2019-09-27 20:18:19 | miss-islington | set | nosy: +miss-islington messages: +msg353403 |
| 2019-09-27 20:03:20 | vstinner | set | pull_requests: +pull_request16020 |
| 2019-09-27 20:00:25 | miss-islington | set | pull_requests: +pull_request16019 |
| 2019-09-27 20:00:15 | miss-islington | set | pull_requests: +pull_request16018 |
| 2019-09-27 19:59:40 | vstinner | set | messages: +msg353395 |
| 2019-09-26 13:17:38 | corona10 | set | messages: +msg353301 |
| 2019-09-25 11:01:41 | vstinner | set | messages: +msg353170 |
| 2019-09-25 11:00:43 | vstinner | set | messages: +msg353169 |
| 2019-09-25 04:40:29 | corona10 | set | messages: +msg353140 |
| 2019-09-25 04:23:41 | corona10 | set | keywords: +patch stage: patch review pull_requests: +pull_request15953 |
| 2019-09-25 02:08:49 | corona10 | set | messages: +msg353132 |
| 2019-09-25 01:43:44 | corona10 | set | nosy: +corona10 |
| 2019-09-25 01:10:13 | vstinner | set | nosy: +vstinner,mdk |
| 2019-09-21 19:34:38 | ned.deily | set | keywords: +security_issue priority: normal -> high versions: + Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9 |
| 2019-09-21 04:25:04 | xtreak | set | nosy: +xtreak messages: +msg352922 |
| 2019-09-21 02:17:30 | longwenzhang | create | |