First published: Wed May 20 2020(Updated: )
### Impact Attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. ### Patches Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib. ### Workarounds Create URI with `urllib.parse` family functions: `urlencode`, `urlunsplit`. ```diff user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:" -uri = "https://api.server/?q={}".format(user_input) +uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), "")) http.request(uri) ``` ### References https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification. ### For more information If you have any questions or comments about this advisory: * Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new) * Email [current maintainer at 2020-05](mailto:temotor@gmail.com)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Httplib2 Project Httplib2 | <0.18.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =8.0 | |
pip/httplib2 | <0.18.0 | 0.18.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.