Thursday, April 14, 2011

urllib Security Vulnerability Fixed

Guido van Rossum recently pushed a fix for CVE-2011-1521, a security issue in Python's URL libraries. While security issues are rare, it's a good opportunity to let the community in on the process behind reporting, handling, and fixing these issues as they arise.

Reporting an Issue

If you've found a security issue within CPython, the first thing we ask is that you keep the details of the issue private. After determining that you have found a legitimate security issue, generating a succinct but detailed report is key to transferring your knowledge to the core developers.

A good report clearly explains how the relevant parts of the system are affected by the issue. If the issue occurs on a specific platform or due to a dependency, that's helpful to know as well. The affected versions are useful to know, and it's likely that the vulernability will be tested for all active versions as well. Lastly, if you have a test case that shows the issue, be sure to include it. Your report should be sent to the security@python.org group.

Niels Heinen of the Google Security Team recently submitted a good report. He discovered an issue with HTTP 302 redirection handling in the standard library urllib and urllib2 modules. What he found was that a server could redirect requests to inappropriate schemes, leading to situations which could compromise data or systems. In his initial report, Neils explains two scenarios where these redirections could expose problems.

First, since urllib/urllib2 supplies a handler for the file:// URL scheme, a redirection to file:///etc/passwd could expose password data. Neils also explained that redirection to a system device like file:///dev/zero could lead to exhaustion of resources leading to a denial of service.

Handling a Report

Due to the sensitive nature of security reports, the security@python.org list is maintained by a small group of trusted developers who analyze and act on reports as soon as possible. If you wish to keep your transmissions to the list encrypted, see the security news page for OpenPGP details.

If the group determines that there is in fact a security issue, a public bug report may be made with an accompanying patch. In this case, Guido van Rossum made the issue public in issue #11662, complete with an initial patch.

Fixing the Issue

What Guido's patch does is restrict redirection to http://, https://, and ftp:// URL schemes. FTP redirection was deemed acceptable, and it's actually a common redirection: download mirroring systems sometimes redirect requests to geographically convenient FTP servers.

For Python 2.x, FancyURLopener's redirect_internal method now raises an IOError when redirection to an inappropriate scheme is requested. HTTPRedirectHandler's http_error_302 does the same, only raising HTTPError. In Python 3, urllib.request received the same fixes. Included with the patch are two tests which exercise redirection to both valid and invalid schemes.

As for users receiving the fix, the final security release of Python 2.5 will be occurring soon. While there are no scheduled dates for the next patch releases of the maintenance branches - 2.6, 2.7, 3.1, and 3.2 - all received the code to fix the vulnerability.