Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#9420 defect closed fixed (fixed)

twisted.web.http.HTTPChannel vulnerable to header injection

Reported by: mark williams Owned by: mark williams
Priority: normal Milestone:
Component: web Keywords:
Cc: Branch:
Author: Alex Gaynor

Description (last modified by mark williams)

twisted.web.http.HTTPChannel.writeHeaders allows line breaks in header values, so it's possible that a malicious input could inject a new header by including a value with \n or \r\n.

writeHeaders should not write \n or \r\n in response header values.

twisted.web.http_headers.Headers is also vulnerable.

twisted.web.http.Request.cookies also allowed adding invalid values that contained linear whitespace.

Change History (7)

comment:1 Changed 4 years ago by mark williams

Description: modified (diff)

comment:2 Changed 4 years ago by mark williams

Description: modified (diff)

comment:3 Changed 4 years ago by mark williams

Keywords: review added

comment:4 Changed 3 years ago by Glyph

Keywords: review removed
Owner: set to mark williams

comment:5 Changed 3 years ago by Tom Most <twm@…>

Resolution: fixed
Status: newclosed

In 63a707ed:

Error: Processor CommitTicketReference failed
 does not appear to be a Git repository. See the log for more information.

comment:6 Changed 3 years ago by Glyph

This was a duplicate of #3770. (Resolved that one as duplicate since this is where it got fixed.)

Thanks very much to https://github.com/haikuginger for pointing this out so that I resolved the old security bug and didn't leave it lingering for researchers to stumble over and waste time on!

comment:7 Changed 3 years ago by Glyph

FWIW, in the future security changes like this one should go to security@twistedmatrix.com - please see https://twistedmatrix.com/trac/wiki/Security for details.

Note: See TracTickets for help on using tickets.