Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail From: Random832 Newsgroups: comp.lang.python Subject: Re: (repost) Advisory: HTTP Header Injection in Python urllib Date: Fri, 17 Jun 2016 23:52:21 -0400 Lines: 13 Message-ID: References: <87shwbmz0l.fsf@nightsong.com> <57649d22$0$1603$c3e8da3$5496439d@news.astraweb.com> <1466221941.3662846.641269641.7FFA59B4@webmail.messagingengine.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Trace: news.uni-berlin.de heDrdkgDHYwMcPzzXAPYlQHyLnJqqRCuEmU9g6/v0E9Q== Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.009 X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'subject:Python': 0.05; 'irc': 0.05; 'received:internal': 0.09; 'ignore': 0.14; 'headers.': 0.16; 'localhost': 0.16; 'message- id:@webmail.messagingengine.com': 0.16; 'received:10.202': 0.16; 'received:10.202.2': 0.16; 'received:10.202.2.212': 0.16; 'received:66.111': 0.16; 'received:66.111.4': 0.16; 'received:66.111.4.27': 0.16; 'received:io': 0.16; 'received:messagingengine.com': 0.16; 'received:out3-smtp.messagingengine.com': 0.16; 'received:psf.io': 0.16; 'subject:urllib': 0.16; 'wrote:': 0.16; 'setup,': 0.22; 'header:In-Reply-To:1': 0.24; 'sort': 0.25; "doesn't": 0.26; 'fri,': 0.27; 'about.': 0.29; 'context,': 0.29; 'admin': 0.29; "i'm": 0.30; 'especially': 0.32; 'subject:) ': 0.32; "d'aprano": 0.33; 'http': 0.33; 'steven': 0.33; 'running': 0.34; 'to:addr :python-list': 0.36; 'subject:: ': 0.37; 'received:10': 0.37; 'really': 0.37; 'received:66': 0.38; 'sure': 0.39; 'to:addr:python.org': 0.40; 'where': 0.40; 'skip:u 10': 0.61; 'header:Message-Id:1': 0.61; 'back': 0.62; 'details': 0.62; "they're": 0.66; 'talking': 0.67; 'demonstrates': 0.84; 'presumably': 0.84; 'victim': 0.84; 'technically': 0.91 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=TCzRhNBD3KxXbp89/uVhhyh9P2Q=; b=s1WuUZ fxxHLdNR98Q314fmbMr5cLYoGr/fQptrX5NyDFu5JXMXdxLsz9Md5snvxisY3iog Q0ixuJscmLm5qN4do6m89K6/RRAi4avJ0tf14KQqIiZuYJy4erK4vIsonAUVtCgU daV8t1pOrSX58VKIooG5+V1UBIcajlD2GDjxE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=TCzRhNBD3KxXbp8 9/uVhhyh9P2Q=; b=YgTllxmoS0fH1G8xRo0XTGvJUqqCPDEvH0TikAZydlZ7edz 3eaDpwx8/Exg92YmFI8sNDpJ8EW2te+y3cM8ckwmp1Uhk6BNrDis+/pXZP/XnzbW 1QeoFBGH43QEvCgrOfikLUtT8WsHxEI7jtbTlRYelpJC1RvC36qzGFdumfAo= X-Sasl-Enc: qNR52lSQR6E7PdaAe4BhOzk99ORBQaUfmm8ozDjI7D2B 1466221941 X-Mailer: MessagingEngine.com Webmail Interface - ajax-127413e6 In-Reply-To: <57649d22$0$1603$c3e8da3$5496439d@news.astraweb.com> X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <1466221941.3662846.641269641.7FFA59B4@webmail.messagingengine.com> X-Mailman-Original-References: <87shwbmz0l.fsf@nightsong.com> <57649d22$0$1603$c3e8da3$5496439d@news.astraweb.com> Xref: csiph.com comp.lang.python:110082 On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote: > The author doesn't go into details of what sort of attacks against > localhost they're talking about. An unauthenticated service running on > localhost implies, to me, a single-user setup, where presumably the > single-user has admin access to localhost. So I'm not really sure what > "risk" they have The issue - especially clearly in this context, which demonstrates a working exploit for this vulnerability - is cross-site request forgery. Which doesn't technically require the victim service to be HTTP (I remember a proof of concept a while back which would trick a browser into connecting to an IRC server), so long as it can ignore HTTP headers.