[Bug 1718509] Re: python paste dumping raw input
Chris MacNaughton
1718509 at bugs.launchpad.net
Wed Jun 10 12:18:10 UTC 2020
As far as I can tell, this is only ever going to be visible from a
malicious client (ie somebody running telnet), and is not able to be
triggered from a browser (so no actual XSS).
** Changed in: python-eventlet (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-eventlet in Ubuntu.
https://bugs.launchpad.net/bugs/1718509
Title:
python paste dumping raw input
Status in neutron:
New
Status in paste:
New
Status in python-eventlet package in Ubuntu:
Confirmed
Bug description:
juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>cross_site_scripting.nasl</script>
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Tue, 19 Sep 2017 20:17:09 GMT
Connection: close
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>cross_site_scripting.nasl</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~
juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>document.cookie%22testgppq=1191;%22</script>
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 602
Date: Tue, 19 Sep 2017 20:33:26 GMT
Connection: close
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>document.cookie"testgppq=1191;"</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1718509/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list