From patchwork Wed Jul 15 15:30:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1329629 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=rockwellcollins.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=k1zMdvuP; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B6LvG1bf0z9sRK for ; Thu, 16 Jul 2020 01:31:06 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 017A38B5C4; Wed, 15 Jul 2020 15:31:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfuiaOYVTF84; Wed, 15 Jul 2020 15:31:00 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 6C0408B5AA; Wed, 15 Jul 2020 15:31:00 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id A9B6F1BF349 for ; Wed, 15 Jul 2020 15:30:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id A34188B55B for ; Wed, 15 Jul 2020 15:30:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6OK0XN1MNZC for ; Wed, 15 Jul 2020 15:30:58 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs05.rockwellcollins.com (da1vs05.rockwellcollins.com [205.175.227.130]) by whitealder.osuosl.org (Postfix) with ESMTPS id 39F098B54F for ; Wed, 15 Jul 2020 15:30:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id; bh=bJRuFGEJUjG1tgw/MiwB8r8keRct/EyEkADlDQTf3uw=; b=k1zMdvuPk6zSoCQBSiHcgoMQpilsWKUxWr9mrr5MCDqd94jQ6sYY8tht r9DqDGIep+o9QgqE5u+qYJFFb7FtrMEJzVOiV8VYdqsQwEgN6aeHl736X eID8FfiW1071qfkuV6QvsePujYuUUs0y3kCdTDANl3NiDgYVViAMuwlvb wZ8bd06lhjx/jSnUfcOIVSJSwlK0gUf69ybo+gKItPPuiWeXeaEtT3xdi omeRYKzFW2qbpdMI5q76oVCWhzH6c5hcUweYQUNiNBgXbQAyFa1gzMEGn pCqdrfjiItDnIUTNZ/ftSlDFffwshMjiLziTyLrhsCTkcC6AE8mUhCiPg Q==; IronPort-SDR: L/Yl/Jbv1QomwW6i373DelqaU3Rm3wiXIOm0H1V74F5d5Hv79IaHhhvDfef3fELfCqTUNrM1Bj EIGyIoS6Pc+/4PJlzNjGvOGp8cfTlJCjXNm0Y4AoThCgZ4iTwH3qbrLPyFawlh5GuDIMcckfdZ OAJg8U54+KJ2FfLikmZeEtdDwI9Eq+c0HX6ISNG8ADwYWTyQwQj+VfUCx6sCYOuZHLz6zVOTcB 8uiOD4uNH/Du9rUdMHgoCR9msEeYZEAUdR5XwXiWxV9yCEw8NVcUUNXXaK9rT+PiYUNnbRAIMr 7lE= Received: from ofwda1n02.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.227.14]) by da1vs05.rockwellcollins.com with ESMTP; 15 Jul 2020 10:30:57 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 317DC6088B; Wed, 15 Jul 2020 10:30:57 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 15 Jul 2020 10:30:56 -0500 Message-Id: <20200715153056.26874-1-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 Subject: [Buildroot] [2020.02.x] package/python-twisted: Fix several request smuggling attacks X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" CVE-2020-10108 In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. CVE-2020-10109 In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. Signed-off-by: Matthew Weber --- ...ix-several-request-smuggling-attacks.patch | 271 ++++++++++++++++++ 1 file changed, 271 insertions(+) create mode 100644 package/python-twisted/0001-fix-several-request-smuggling-attacks.patch diff --git a/package/python-twisted/0001-fix-several-request-smuggling-attacks.patch b/package/python-twisted/0001-fix-several-request-smuggling-attacks.patch new file mode 100644 index 0000000000..9fe15ad7b8 --- /dev/null +++ b/package/python-twisted/0001-fix-several-request-smuggling-attacks.patch @@ -0,0 +1,271 @@ +From 4a7d22e490bb8ff836892cc99a1f54b85ccb0281 Mon Sep 17 00:00:00 2001 +From: Mark Williams +Date: Sun, 16 Feb 2020 19:00:10 -0800 +Subject: [PATCH] Fix several request smuggling attacks. + +1. Requests with multiple Content-Length headers were allowed (thanks +to Jake Miller from Bishop Fox and ZeddYu Lu) and now fail with a 400; + +2. Requests with a Content-Length header and a Transfer-Encoding +header honored the first header (thanks to Jake Miller from Bishop +Fox) and now fail with a 400; + +3. Requests whose Transfer-Encoding header had a value other than +"chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail +with a 400. + +Fixes CVE-2020-10108 & CVE-2020-10109 - HTTP request splitting +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109 + +Upstream: +https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 + +Signed-off-by: Matthew Weber + + +--- + src/twisted/web/http.py | 64 +++++++--- + src/twisted/web/newsfragments/9770.bugfix | 1 + + src/twisted/web/test/test_http.py | 137 ++++++++++++++++++++++ + 3 files changed, 187 insertions(+), 15 deletions(-) + create mode 100644 src/twisted/web/newsfragments/9770.bugfix + +diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py +index f0fb05b4d69..06d830fe30f 100644 +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2171,6 +2171,51 @@ def _finishRequestBody(self, data): + self.allContentReceived() + self._dataBuffer.append(data) + ++ def _maybeChooseTransferDecoder(self, header, data): ++ """ ++ If the provided header is C{content-length} or ++ C{transfer-encoding}, choose the appropriate decoder if any. ++ ++ Returns L{True} if the request can proceed and L{False} if not. ++ """ ++ ++ def fail(): ++ self._respondToBadRequestAndDisconnect() ++ self.length = None ++ ++ # Can this header determine the length? ++ if header == b'content-length': ++ try: ++ length = int(data) ++ except ValueError: ++ fail() ++ return False ++ newTransferDecoder = _IdentityTransferDecoder( ++ length, self.requests[-1].handleContentChunk, self._finishRequestBody) ++ elif header == b'transfer-encoding': ++ # XXX Rather poorly tested code block, apparently only exercised by ++ # test_chunkedEncoding ++ if data.lower() == b'chunked': ++ length = None ++ newTransferDecoder = _ChunkedTransferDecoder( ++ self.requests[-1].handleContentChunk, self._finishRequestBody) ++ elif data.lower() == b'identity': ++ return True ++ else: ++ fail() ++ return False ++ else: ++ # It's not a length related header, so exit ++ return True ++ ++ if self._transferDecoder is not None: ++ fail() ++ return False ++ else: ++ self.length = length ++ self._transferDecoder = newTransferDecoder ++ return True ++ + + def headerReceived(self, line): + """ +@@ -2196,21 +2241,10 @@ def headerReceived(self, line): + + header = header.lower() + data = data.strip() +- if header == b'content-length': +- try: +- self.length = int(data) +- except ValueError: +- self._respondToBadRequestAndDisconnect() +- self.length = None +- return False +- self._transferDecoder = _IdentityTransferDecoder( +- self.length, self.requests[-1].handleContentChunk, self._finishRequestBody) +- elif header == b'transfer-encoding' and data.lower() == b'chunked': +- # XXX Rather poorly tested code block, apparently only exercised by +- # test_chunkedEncoding +- self.length = None +- self._transferDecoder = _ChunkedTransferDecoder( +- self.requests[-1].handleContentChunk, self._finishRequestBody) ++ ++ if not self._maybeChooseTransferDecoder(header, data): ++ return False ++ + reqHeaders = self.requests[-1].requestHeaders + values = reqHeaders.getRawHeaders(header) + if values is not None: +diff --git a/src/twisted/web/newsfragments/9770.bugfix b/src/twisted/web/newsfragments/9770.bugfix +new file mode 100644 +index 00000000000..4f1be97de8a +--- /dev/null ++++ b/src/twisted/web/newsfragments/9770.bugfix +@@ -0,0 +1 @@ ++Fix several request smuggling attacks: requests with multiple Content-Length headers were allowed (thanks to Jake Miller from Bishop Fox and ZeddYu Lu) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (thanks to Jake Miller from Bishop Fox) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail a 400. +\ No newline at end of file +diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py +index 0a0db09b750..578cb500cda 100644 +--- a/src/twisted/web/test/test_http.py ++++ b/src/twisted/web/test/test_http.py +@@ -2252,6 +2252,143 @@ def process(self): + self.flushLoggedErrors(AttributeError) + + ++ def assertDisconnectingBadRequest(self, request): ++ """ ++ Assert that the given request bytes fail with a 400 bad ++ request without calling L{Request.process}. ++ ++ @param request: A raw HTTP request ++ @type request: L{bytes} ++ """ ++ class FailedRequest(http.Request): ++ processed = False ++ def process(self): ++ FailedRequest.processed = True ++ ++ channel = self.runRequest(request, FailedRequest, success=False) ++ self.assertFalse(FailedRequest.processed, "Request.process called") ++ self.assertEqual( ++ channel.transport.value(), ++ b"HTTP/1.1 400 Bad Request\r\n\r\n") ++ self.assertTrue(channel.transport.disconnecting) ++ ++ ++ def test_duplicateContentLengths(self): ++ """ ++ A request which includes multiple C{content-length} headers ++ fails with a 400 response without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Content-Length: 56', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_duplicateContentLengthsWithPipelinedRequests(self): ++ """ ++ Two pipelined requests, the first of which includes multiple ++ C{content-length} headers, trigger a 400 response without ++ calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Content-Length: 56', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ b'GET /a HTTP/1.1', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_contentLengthAndTransferEncoding(self): ++ """ ++ A request that includes both C{content-length} and ++ C{transfer-encoding} headers fails with a 400 response without ++ calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: chunked', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_contentLengthAndTransferEncodingWithPipelinedRequests(self): ++ """ ++ Two pipelined requests, the first of which includes both ++ C{content-length} and C{transfer-encoding} headers, triggers a ++ 400 response without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: chunked', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ b'GET /a HTTP/1.1', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_unknownTransferEncoding(self): ++ """ ++ A request whose C{transfer-encoding} header includes a value ++ other than C{chunked} or C{identity} fails with a 400 response ++ without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: unknown', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_transferEncodingIdentity(self): ++ """ ++ A request with a valid C{content-length} and a ++ C{transfer-encoding} whose value is C{identity} succeeds. ++ """ ++ body = [] ++ ++ class SuccessfulRequest(http.Request): ++ processed = False ++ def process(self): ++ body.append(self.content.read()) ++ self.setHeader(b'content-length', b'0') ++ self.finish() ++ ++ request = b'''\ ++GET / HTTP/1.1 ++Host: host.invalid ++Content-Length: 2 ++Transfer-Encoding: identity ++ ++ok ++''' ++ channel = self.runRequest(request, SuccessfulRequest, False) ++ self.assertEqual(body, [b'ok']) ++ self.assertEqual( ++ channel.transport.value(), ++ b'HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n', ++ ) ++ ++ + + class QueryArgumentsTests(unittest.TestCase): + def testParseqs(self):