Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible security vulnerability in user input #297

Closed
jvanasco opened this issue Aug 4, 2017 · 8 comments
Closed

possible security vulnerability in user input #297

jvanasco opened this issue Aug 4, 2017 · 8 comments

Comments

@jvanasco
Copy link

jvanasco commented Aug 4, 2017

i discovered a specific vulnerability in a handful of python form validation and sanitization libraries yesterday. colander is affected. the behavior is desired in some contexts, but dangerous in most http/html contexts.

is there someone I can email about this?
@stevepiercy
Copy link
Member

From https://pylonsproject.org/community-support.html

To report security issues with projects under the Pylons Project send email to: pylons-project-security@googlegroups.com. If we determine that your report may be a security issue with the project, we may contact you for further information.

Thank you!

@digitalresistor
Copy link
Member

@jvanasco did you send an email about this issue? If not, would you please reach out to either the security list or to me personally? xistence@0x58.com or bertjw@regeer.org (either one/both is fine).

@jvanasco
Copy link
Author

jvanasco commented Feb 1, 2019

I thought I did, but there's nothing in my outbox. I'll email the group now.

@digitalresistor
Copy link
Member

Thanks @jvanasco!

@jvanasco
Copy link
Author

jvanasco commented Feb 1, 2019

if anyone in the general public is worried about this: please don't. many upstream libraries and web browsers have since integrated safeguards against this overall attack type, making this ticket largely redundant.

@tseaver
Copy link
Member

tseaver commented May 20, 2024

@jvanasco I'm going to close this based on your last comment. Could you point to the CVEs for those other projects to give people wondering if they are vulnerable some context?

@tseaver tseaver closed this as completed May 20, 2024
@jvanasco
Copy link
Author

I don't know of any CVEs offhand, and I can't access any of the secure tickets I filed back then, but I will disclose the issue and what has changed in the industry:

When this ticket was filed, web browsers did not render non-printable ASCII characters. Today, they are rendered with placeholders.

The previous browser behavior would allow a malicious actor to carefully construct a payload that uses ASCII control characters (like backspace) to appear innocuous, but "transform" into malicious code when copy/pasted into a terminal window (or similar input that recognizes the control characters).

This attack vector does take an additional element of human engineering - the malicious actor needs to convince someone to copy/paste user-generated text into a terminal window - but that can be an easy task with coding websites and forums. It's a particularly esoteric potential attack aimed at a particular audience.

Modern browsers now render placeholders or will not render the control characters on html documents - so there is either a visible warning or no attack vector.

@tseaver
Copy link
Member

tseaver commented May 21, 2024

Thanks for the follow-up, @jvanasco!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stevepiercy @jvanasco @tseaver @digitalresistor