Red Hat Bugzilla – Bug 1046626
CVE-2014-1829 python-requests: redirect can expose netrc password
Last modified: 2016-04-26 11:18:38 EDT
Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file. If site A redirects to site B, and user had a password for site A in their ~/.netrc, then requests would send authorization information both to site A and to site B. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 1046627] Affects: epel-6 [bug 1046628]
Created attachment 841867 [details] Test Case to reproduce this bug. Some test scripts are attached to reproduce the bug, when executed, gives a Base64 encoded string, which when decoded, gives the username:password stored in the ~/.netrc file.
Ratul, the attached test scripts seem to work with python 3 only. Could you provide test scripts for python 2 too? Thanks.
According to the Debian bug linked above, the problem happens on python3-requests version 2.0.0. Fedora 20 only has python-requests and python3-requests version 1.2.3. Running the python3 test scripts above on Fedora 20 did not reproduce the problem.
Upstream bug report: https://github.com/kennethreitz/requests/issues/1885
Hello, I'm the Debian maintainer of python-requests: the issue is also present in the Python2 version. You can run testhttpclient.py also using Python2 (only testhttpserve.py is Python3 only, but the server part is not importat for this issue) and you will get the same result. See what upstream replied me: https://github.com/kennethreitz/requests/issues/1885#issuecomment-33436124 Cheers!
Hi Daniele, yes, I didn't run the test correctly. I can reproduce the problem on F20 now. Is the code in the above link supposed to be the final solution? Is there any test case for Proxy-Authorization?
Hello Endi, sorry for the delay in my reply. The final solution should be this: https://github.com/kennethreitz/requests/pull/1892 But as you can see Kenneth said that he needs to think about this. I'm not aware of a test case for Proxy-Authorization but I asked for it in upstream traker[¹] and they replied that it will be addressed before the next release[²]. As I said in [¹] I don't know if you already requested a CVE for this, anyway upstream is going to ask for one. [¹] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33790719 [²] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33791215
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/python/2014/1829.yaml
Created python-requests tracking bugs for this issue: Affects: epel-7 [bug 1144910]
Statement: This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 7 as they included a fix for this issue at GA. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.