-
-
Notifications
You must be signed in to change notification settings - Fork 856
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some URL can make httpx use URL with wrong info #2184
Comments
GitHub has added this to their advisory database, and it is now being picked up by Dependabot dependency scanning. |
👋 When is the next release scheduled? Would love to pick up #2185, since it addresses CVE-2021-41945 🙏 |
Release pull request... #2214 |
This may be useful for Linux distro packagers: I created a manual backport https://github.com/archlinux/svntogit-community/blob/packages/python-httpx/trunk/CVE-2021-41945.diff as commit e9b0c85 cannot be applied directly onto version 0.22.0. |
PR #2185 has been merged, can this be closed? |
A stable version with this fix has not been released yet, this can't be closed. |
This looks a bit odd to me that this critical vulnerability hasn't been released, even though the fix has been merged more than a month now. This project looks pretty nice, but then people must also pay attention on both resolving and releasing critical problems immediately. Such long-lasting response may turn users away from using your work as we are considering that within our organisation too... |
Now released as 0.23.0 |
If anyone knows the process for updating those advisories, then marking them as resolved would be very much welcome. |
For GHSA-h8pj-cxx2-jfg2, there is a "Suggest improvements" which apparently opens a PR. Leaving that here as FYI since a PR was already submitted: github/advisory-database#322. |
After some research, I found that
httpx.Client
andhttpx.Proxy
may implicit parse wrong URL because of the improper implement ofhttpx.URL().copy_with
.And this issue may lead to some blacklist bypass.
For example:
httpx.Client
httpx.Proxy
Main reason:
httpx/httpx/_urls.py
Line 487 in b07fe7b
copy_with
parseself._uri_reference.copy_with(**kwargs).unsplit()
before returning the new URL, but the new URL string return byunsplit
may make some unintended changes on the new URL.For example:
So if a function is using
copy_with
, it may have the same issue ashttpx.Client
andhttpx.Proxy
, too (For example,copy_set_param
).I also made a patch PR for this issue by replacing
return URL(self._uri_reference.copy_with(**kwargs).unsplit())
to:By the way, I think this issue is similar to CWE-172 and CWE-20.If you want to request a CVE id for this issue to remind httpx's user, you can use these categories.Updated: This has been assigned as CVE-2021-41945.
The text was updated successfully, but these errors were encountered: