-
-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect can expose netrc password #1885
Comments
Thanks for this! Right now we don't strip authentication information of any kind on redirects. We could, but we can't ask the user for new credentials, we can only really go to `~/. Thoughts @sigmavirus24? |
We delete any Cookies set. I'm not sure I see the benefit in sending the old credentials to the site we're redirected to. Is there anything in the RFC about this? I would guess it could be considered safe if we're redirecting to the same domain, but otherwise, I don't see a point in sending it along as well. That said, we would be breaking backwards compatibility. Someone relying on this will need to do extra work. |
Agreed, this is backwards incompatible. I'd rather be secure(r) by default, though. Open question: do we reapply |
The more accurate question is: Do we |
Yes, absolutely yes. What about Proxy-Authorization? EDIT: To be clear, we should conditionally delete the Authorization header, only if we're being redirected to a new host. |
Ehhhhhhhh maybe? That's a grey area. My typical mental model of a proxy is on One thing that's nice is we don't have to worry about times when authorization |
@Lukasa I agree! |
This is going to be tricky. Some domains will not want you to keep them when redirecting to sub-domains. It's a safer thing to do than to preserve authorization for redirecting to different domains but it may still be tricky. |
I think we should consider a sub-domain as a new host[¹]. Maybe we can check if user's .netrc has a stanza about the sub-domain when redirecting. Only if we find a stanza about the sub-domain, we send the credentials for the sub-domain we are redirected to. What do you think? [¹] For example, think about *.neocities.org: we can't presume if the owner of two sub-domains is the same. |
Yeah I talked to some of the security guys at Bendyworks about this and they agree with you @EriolV. So a simple check of original_parsed = urlparse(respone.request.url)
redirect_parsed = urlparse(url)
if original_parsed.host != redirect_parsed.host:
del headers['Authorization'] Have we decided about |
Agreed, subdomains have to be treated as new hosts. We can be smart about proxy auth as well, I think. First thing to note is that our proxy model uses one proxy per scheme: if you don't get redirected to a different scheme you can safely keep sending |
Ok, take a look at #1892 for a possible fix. |
@EriolV do you have experience with CVEs? This was reported to debian but is not a debian specific issue. This is our responsibility to report to MITRE, right? |
@sigmavirus24 unfortunately I don't have experience with CVEs, but it's well described here: Sending a request to [email protected] should be enough, As you can see Endi Sukma Dewata also asked me if there are tests for the Proxy-Authorization case. |
Thanks for managing everything @EriolV. I'm going to guess none of you have submitted a CVE so I'm going to request one from MITRE since the CVE suggests just asking them. FWIW, if you would like you can tell Endi that we're going to address the Proxy-Authorization case before the next release but in a separate PR probably. |
Ok, let's summarise the Proxy-Authorization case while we're here and talking about it. Problem: Proxy-Authorization is never re-evaluated when we are redirected. This means that if we're redirected to a new proxy, or away from proxies entirely, we'll keep sending the Proxy-Authorization header. This is bad. Interesting Notes: A few things.
Interim Fix: If we need to rush a 'fix' out the door, we can start by unconditionally removing the Proxy-Authorization header in all cases on redirect. This covers all cases where we don't hit NO_PROXY. Better Fix: Comes in two parts:
That should be all we need: the HTTPAdapter will handle regenerating the Proxy-Authorization header as needed. |
I would like to have everything fixed in one release but if we have to. Stripping out the headers on redirect is enough for me. That at least removes the exposure and makes our users safer even if it temporarily inconveniences them. I mean it's a freaking open source library. Not having a file parsed and used to authenticate for you is the very definition of a First World Problem and for that I'm a bit unsympathetic. I'm also grumpy after a conversation on twitter, so feel free to ignore my bitterness. |
I'm pretty convinced re-evaluating the proxy configuration is a minor amount of work, I'll take a swing at it this weekend. |
Is this issue done, given that re-evaluating is in place now, or is there something missing that has been discussed? |
Hello,
Jakub Wilk reported this on the Debian Bug Tracker[¹]:
Jakub wrote also some tests to show the issue, you can find them attached on the Debian Bug Tracker.
I have already updated requests Debian package (it's ready for the upload) and I can confirm that the issue is present also in requests 2.2.1.
Cheers!
[¹] http://bugs.debian.org/733108
The text was updated successfully, but these errors were encountered: