ZPublisher.HTTPRequest._scrubHeader allows linefeed injection
Bug #930812 reported by
David Glick
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope 2 |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
The Zope HTTPResponse APIs for setting response headers use a "_scrubHeader" helper to make sure carriage returns and CRLFs can't be injected into headers.
However it doesn't strip linefeeds (when not following carriage returns), which still allows for header injection with user agents that aren't strict about accepting only CRLF as a header delimiter.
For example, the following sets a cookie in Firefox when it receives the response:
user_input = '\nSet-Cookie: foo=bar' # from a form or query string
response.
CVE References
Revision history for this message
| David Glick (davisagli) wrote | #1 |
Revision history for this message
| Tres Seaver (tseaver) wrote | #2 |
| Changed in zope2: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in zope2: | |
| status: | Confirmed → Fix Committed |
| Changed in zope2: | |
| milestone: | none → 2.13.19 |
| status: | Fix Committed → Fix Released |
| information type: | Private Security → Public |
| information type: | Public → Public Security |
To post a comment you must log in.
Proposed patch attached.