Bug 1046626 (CVE-2014-1829) - CVE-2014-1829 python-requests: redirect can expose netrc password
Summary: CVE-2014-1829 python-requests: redirect can expose netrc password
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-1829
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1046627 1046628 1046629 1144910
Blocks: 1046630
TreeView+ depends on / blocked
 
Reported: 2013-12-26 11:48 UTC by Ratul Gupta
Modified: 2021-02-17 07:03 UTC (History)
36 users (show)

Fixed In Version: python-requests 2.3.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-20 18:20:34 UTC
Embargoed:


Attachments (Terms of Use)
Test Case to reproduce this bug. (787 bytes, application/x-zip-compressed)
2013-12-26 11:56 UTC, Ratul Gupta
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1144907 0 low CLOSED CVE-2014-1830 python-requests: Proxy-Authorization header leak 2021-02-22 00:41:40 UTC

Internal Links: 1144907

Description Ratul Gupta 2013-12-26 11:48:44 UTC
Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file.

If site A redirects to site B, and user had a password for site A in their ~/.netrc, then requests would send authorization information both to site A and to site B.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108

Comment 2 Ratul Gupta 2013-12-26 11:50:40 UTC
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 1046627]
Affects: epel-6 [bug 1046628]

Comment 3 Ratul Gupta 2013-12-26 11:56:12 UTC
Created attachment 841867 [details]
Test Case to reproduce this bug.

Some test scripts are attached to reproduce the bug, when executed, gives a Base64 encoded string, which when decoded, gives the username:password stored in the ~/.netrc file.

Comment 4 Endi Sukma Dewata 2014-01-20 19:16:43 UTC
Ratul, the attached test scripts seem to work with python 3 only. Could you provide test scripts for python 2 too? Thanks.

Comment 5 Endi Sukma Dewata 2014-01-20 20:11:15 UTC
According to the Debian bug linked above, the problem happens on python3-requests version 2.0.0. Fedora 20 only has python-requests and python3-requests version 1.2.3. Running the python3 test scripts above on Fedora 20 did not reproduce the problem.

Comment 11 Tomas Hoger 2014-01-28 08:09:18 UTC
Upstream bug report:
https://github.com/kennethreitz/requests/issues/1885

Comment 13 Daniele Tricoli 2014-01-28 17:08:05 UTC
Hello, I'm the Debian maintainer of python-requests: the issue is also present in the Python2 version. You can run testhttpclient.py also using Python2 (only testhttpserve.py is Python3 only, but the server part is not importat for this issue) and you will get the same result. See what upstream replied me:
https://github.com/kennethreitz/requests/issues/1885#issuecomment-33436124

Cheers!

Comment 14 Endi Sukma Dewata 2014-01-28 17:31:37 UTC
Hi Daniele, yes, I didn't run the test correctly. I can reproduce the problem on F20 now. Is the code in the above link supposed to be the final solution? Is there any test case for Proxy-Authorization?

Comment 15 Daniele Tricoli 2014-01-31 12:57:47 UTC
Hello Endi, sorry for the delay in my reply.

The final solution should be this: 
https://github.com/kennethreitz/requests/pull/1892

But as you can see Kenneth said that he needs to think about this.

I'm not aware of a test case for Proxy-Authorization but I asked for it in upstream traker[¹] and they replied that it will be addressed before the next release[²].

As I said in [¹] I don't know if you already requested a CVE for this, anyway upstream is going to ask for one.

[¹] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33790719
[²] https://github.com/kennethreitz/requests/issues/1885#issuecomment-33791215

Comment 16 Arun Babu Neelicattu 2014-09-21 11:47:49 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/python/2014/1829.yaml

Comment 17 Arun Babu Neelicattu 2014-09-22 01:14:05 UTC
Created python-requests tracking bugs for this issue:

Affects: epel-7 [bug 1144910]

Comment 20 Vincent Danen 2015-01-21 17:23:30 UTC
Statement:

This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 7 as they included a fix for this issue at GA.

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.