Bug 1046626 (CVE-2014-1829)

Summary: CVE-2014-1829 python-requests: redirect can expose netrc password
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, aneelica, aortega, apevec, ayoung, carnil, ccoleman, chrisw, dallan, dmcphers, edewata, erik, eriol, gkotton, gmollett, iheim, jialiu, joelsmith, jokerman, jrusnack, kseifried, lhh, lmeyer, lpeer, ltoscano, markmc, mmccomas, mmcgrath, pfrields, rbean, rbryant, rhos-maint, sagarun, sclewis, scorneli, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-requests 2.3.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-20 18:20:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1046627, 1046628, 1046629, 1144910    
Bug Blocks: 1046630    
Attachments:
Description Flags
Test Case to reproduce this bug. none

Description Ratul Gupta 2013-12-26 11:48:44 UTC 
Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file.

If site A redirects to site B, and user had a password for site A in their ~/.netrc, then requests would send authorization information both to site A and to site B.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
Comment 2 Ratul Gupta 2013-12-26 11:50:40 UTC 
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 1046627]
Affects: epel-6 [bug 1046628]
Comment 3 Ratul Gupta 2013-12-26 11:56:12 UTC 
Created attachment 841867 [details]
Test Case to reproduce this bug.

Some test scripts are attached to reproduce the bug, when executed, gives a Base64 encoded string, which when decoded, gives the username:password stored in the ~/.netrc file.
Comment 4 Endi Sukma Dewata 2014-01-20 19:16:43 UTC 
Ratul, the attached test scripts seem to work with python 3 only. Could you provide test scripts for python 2 too? Thanks.
Comment 5 Endi Sukma Dewata 2014-01-20 20:11:15 UTC 
According to the Debian bug linked above, the problem happens on python3-requests version 2.0.0. Fedora 20 only has python-requests and python3-requests version 1.2.3. Running the python3 test scripts above on Fedora 20 did not reproduce the problem.
Comment 11 Tomas Hoger 2014-01-28 08:09:18 UTC 
Upstream bug report:
https://github.com/kennethreitz/requests/issues/1885
Comment 13 Daniele Tricoli 2014-01-28 17:08:05 UTC 
Hello, I'm the Debian maintainer of python-requests: the issue is also present in the Python2 version. You can run testhttpclient.py also using Python2 (only testhttpserve.py is Python3 only, but the server part is not importat for this issue) and you will get the same result. See what upstream replied me:
https://github.com/kennethreitz/requests/issues/1885#issuecomment-33436124

Cheers!
Comment 14 Endi Sukma Dewata 2014-01-28 17:31:37 UTC 
Hi Daniele, yes, I didn't run the test correctly. I can reproduce the problem on F20 now. Is the code in the above link supposed to be the final solution? Is there any test case for Proxy-Authorization?
Comment 15 Daniele Tricoli 2014-01-31 12:57:47 UTC 
Hello Endi, sorry for the delay in my reply.

The final solution should be this: 
https://github.com/kennethreitz/requests/pull/1892

But as you can see Kenneth said that he needs to think about this.

I'm not aware of a test case for Proxy-Authorization but I asked for it in upstream traker[¹] and they replied that it will be addressed before the next release[²].

As I said in [¹] I don't know if you already requested a CVE for this, anyway upstream is going to ask for one.

[¹] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33790719
[²] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33791215
Comment 16 Arun Babu Neelicattu 2014-09-21 11:47:49 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/python/2014/1829.yaml
Comment 17 Arun Babu Neelicattu 2014-09-22 01:14:05 UTC 
Created python-requests tracking bugs for this issue:

Affects: epel-7 [bug 1144910]
Comment 20 Vincent Danen 2015-01-21 17:23:30 UTC 
Statement:

This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 7 as they included a fix for this issue at GA.

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.