Mercurial > p > roundup > code
comparison roundup/scripts/roundup_server.py @ 8322:a2c376d0f110
fix: fix possible HTTP Response Splitting in roundup-server
CodeQL flagged a possible HTTP Response Splitting in the Location
header's URL.
The AI suggested cleaning the Host value, except the URL also includes
the query parameters in the URL so they could potentially trigger the
issue. Th host header probably doesn;t have a newline or cr in it
otherwise it wouldn't have been recognized by the server as a valid
host.
In any case strip all \n or \r from the url before use.
Also update CHANGES.txt with fixing the gpg install.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 03 Jun 2025 22:23:10 -0400 |
| parents | 03513f5066f3 |
| children | 5fbf6451a782 |
comparison
equal
deleted
inserted
replaced
| 8321:71e961941be6 | 8322:a2c376d0f110 |
|---|---|
| 430 # redirect - XXX https?? | 430 # redirect - XXX https?? |
| 431 protocol = 'http' | 431 protocol = 'http' |
| 432 url = '%s://%s%s/' % (protocol, self.headers['host'], rest) | 432 url = '%s://%s%s/' % (protocol, self.headers['host'], rest) |
| 433 if query: | 433 if query: |
| 434 url += '?' + query | 434 url += '?' + query |
| 435 | |
| 436 # Do not allow literal \n or \r in URL to prevent | |
| 437 # HTTP Response Splitting | |
| 438 url = re.sub("[\r\n]", "", url) | |
| 435 self.send_header('Location', url) | 439 self.send_header('Location', url) |
| 436 self.send_header('Content-Length', 17) | 440 self.send_header('Content-Length', 17) |
| 437 self.end_headers() | 441 self.end_headers() |
| 438 self.wfile.write(b'Moved Permanently') | 442 self.wfile.write(b'Moved Permanently') |
| 439 return | 443 return |