Ubuntu
python-eventlet package

python paste dumping raw input

Bug #1718509 reported by Ramon Grullon
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
paste
New
Undecided
Unassigned
python-eventlet (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>cross_site_scripting.nasl</script>

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Tue, 19 Sep 2017 20:17:09 GMT
Connection: close

Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>cross_site_scripting.nasl</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~

 juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>document.cookie%22testgppq=1191;%22</script>

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 602
Date: Tue, 19 Sep 2017 20:33:26 GMT
Connection: close

Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>document.cookie"testgppq=1191;"</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~

Tags: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here is a completely untested fix.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, it appears we've lost track of this issue.

I don't see this fix in our paste packages.

Has this issue been reported to upstream yet?

Is there a reason for this to remain private?

Thanks

Ramon Grullon (rgrullon)
information type: Private → Public
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

As far as I can tell, this is only ever going to be visible from a malicious client (ie somebody running telnet), and is not able to be triggered from a browser (so no actual XSS).

Changed in python-eventlet (Ubuntu):
status: New → Confirmed
Revision history for this message
Bernard Cafarelli (bcafarel) wrote :

Removing neutron as it is purely in common code and paste itself

no longer affects: neutron
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.