CRLF injection in httplib2

2020-05-2015:55:47

Google

osv.dev

0.005 Low

EPSS

Percentile

75.8%

JSON

Impact

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server.

Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

Patches

Problem has been fixed in 0.18.0
Space, CR, LF characters are now quoted before any use.
This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.

Workarounds

Create URI with urllib.parse family functions: urlencode, urlunsplit.

user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:"
-uri = "https://api.server/?q={}".format(user_input)
+uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), ""))
http.request(uri)

References

https://cwe.mitre.org/data/definitions/93.html
https://docs.python.org/3/library/urllib.parse.html

Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.

For more information

If you have any questions or comments about this advisory:

Open an issue in httplib2
Email current maintainer at 2020-05

CPENameOperatorVersion
httplib2eq0.15.0
httplib2eq0.13.1
httplib2eq0.17.4
httplib2eq0.12.3
httplib2eq0.7.4
httplib2eq0.9
httplib2eq0.17.1
httplib2eq0.9.2
httplib2eq0.8
httplib2eq0.7.0

Name	Operator	Version
httplib2	eq	0.15.0
httplib2	eq	0.13.1
httplib2	eq	0.17.4
httplib2	eq	0.12.3
httplib2	eq	0.7.4
httplib2	eq	0.9
httplib2	eq	0.17.1
httplib2	eq	0.9.2
httplib2	eq	0.8
httplib2	eq	0.7.0