Mercurial > p > roundup > code
changeset 8322:a2c376d0f110
fix: fix possible HTTP Response Splitting in roundup-server
CodeQL flagged a possible HTTP Response Splitting in the Location
header's URL.
The AI suggested cleaning the Host value, except the URL also includes
the query parameters in the URL so they could potentially trigger the
issue. Th host header probably doesn;t have a newline or cr in it
otherwise it wouldn't have been recognized by the server as a valid
host.
In any case strip all \n or \r from the url before use.
Also update CHANGES.txt with fixing the gpg install.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 03 Jun 2025 22:23:10 -0400 |
| parents | 71e961941be6 |
| children | 32a57cde072f |
| files | CHANGES.txt roundup/scripts/roundup_server.py |
| diffstat | 2 files changed, 8 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Tue Jun 03 21:43:29 2025 -0400 +++ b/CHANGES.txt Tue Jun 03 22:23:10 2025 -0400 @@ -95,6 +95,8 @@ - issue2551406: 'Templating Error: too many values to unpack' crash fixed. (reported by and patch Christof Meerwald, commit/test John Rouillard) +- fix potential HTTP Response Splitting issue in + roundup-server. Discovered by CodeQL in CI. (John Rouillard) Features: @@ -151,6 +153,8 @@ Schlatterbeck) - issue2551231 - template.py-HTMLClass::classhelp doesn't merge user defined classes. It now merges them in. (John Rouillard) +- re-enable support for GPG/PGP encrypted emails using new python gpg + pakage on the test pypi instance. (Paul Schwabauer) 2024-07-13 2.4.0
--- a/roundup/scripts/roundup_server.py Tue Jun 03 21:43:29 2025 -0400 +++ b/roundup/scripts/roundup_server.py Tue Jun 03 22:23:10 2025 -0400 @@ -432,6 +432,10 @@ url = '%s://%s%s/' % (protocol, self.headers['host'], rest) if query: url += '?' + query + + # Do not allow literal \n or \r in URL to prevent + # HTTP Response Splitting + url = re.sub("[\r\n]", "", url) self.send_header('Location', url) self.send_header('Content-Length', 17) self.end_headers()