From a1457cc31f3206cf691d11d2bf34e98865873e9e Mon Sep 17 00:00:00 2001 From: Sergey Shepelev Date: Wed, 20 May 2020 14:56:12 +0300 Subject: [PATCH] IMPORTANT security vulnerability CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. Special thanks to Recar https://github.com/Ciyfly for discrete notification. https://cwe.mitre.org/data/definitions/93.html --- python2/httplib2/__init__.py | 3 +++ python3/httplib2/__init__.py | 3 +++ 2 files changed, 6 insertions(+) diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py index 97e06c1..34281b7 100644 --- a/python2/httplib2/__init__.py +++ b/python2/httplib2/__init__.py @@ -1985,6 +1985,9 @@ class Http(object): headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__ uri = iri2uri(uri) + # Prevent CWE-75 space injection to manipulate request via part of uri. + # Prevent CWE-93 CRLF injection to modify headers via part of uri. + uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A") (scheme, authority, request_uri, defrag_uri) = urlnorm(uri) diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py index 8785cc1..c0b1418 100644 --- a/python3/httplib2/__init__.py +++ b/python3/httplib2/__init__.py @@ -1790,6 +1790,9 @@ a string that contains the response entity body. headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__ uri = iri2uri(uri) + # Prevent CWE-75 space injection to manipulate request via part of uri. + # Prevent CWE-93 CRLF injection to modify headers via part of uri. + uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A") (scheme, authority, request_uri, defrag_uri) = urlnorm(uri) -- 2.23.0