Python urllib CRLF 注入漏洞分析 (CVE-2019-9740)<\/h1>

漏洞概述<\/h2>
CVE-2019-9740 是 Python urllib 库中的一个 CRLF 注入漏洞，允许攻击者通过精心构造的 URL 在 HTTP 请求头中注入恶意内容。该漏洞是 2016 年 CVE-2016-5699 漏洞的变种，尽管之前已经修复了部分问题，但仍存在可利用的注入点。<\/p>

CRLF 注入原理<\/h2>

CRLF 是"回车+换行"(\r\n<\/code>)的简称，十六进制码为 0x0d<\/code> 和 0x0a<\/code>。在 HTTP 协议中：<\/p>


HTTP 头和 HTTP 体使用两个 \r\n<\/code> 分隔<\/li>
浏览器根据这些控制字符来解析和显示 HTTP 内容<\/li>
攻击者若能控制 HTTP 消息头中的字符，就可以注入恶意换行来操纵会话 Cookie 或 HTML 体<\/li>
<\/ul>
漏洞演示<\/h2>
正常请求示例<\/h3>
import<\/span> urllib.request
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/127.0.0.1"<\/span>
<\/span><\/span>response =<\/span> urllib.<\/span>request.<\/span>urlopen(url)
<\/span><\/span><\/code><\/pre>正常请求头：<\/p>
GET \/ HTTP\/1.1
Host: 127.0.0.1
User-Agent: Python-urllib\/3.7
...
<\/code><\/pre>
恶意请求示例<\/h3>
import<\/span> urllib.request
<\/span><\/span>
<\/span><\/span>host =<\/span> "127.0.0.1<\/span>%0d%0a%0d%0a<\/span>headers:test"<\/span>
<\/span><\/span>url =<\/span> "http:\/\/"<\/span> +<\/span> host
<\/span><\/span>response =<\/span> urllib.<\/span>request.<\/span>urlopen(url)
<\/span><\/span><\/code><\/pre>注入后的请求头：<\/p>
GET \/ HTTP\/1.1
Host: 127.0.0.1

headers:test
User-Agent: Python-urllib\/3.7
...
<\/code><\/pre>
漏洞分析<\/h2>
漏洞代码路径<\/h3>

urllib.request.urlopen()<\/code> 是入口函数<\/li>
调用 build_opener()<\/code> 创建 opener<\/li>
使用 HTTPHandler<\/code> 处理 HTTP 请求<\/li>
最终通过 http.client.HTTPConnection<\/code> 发送请求<\/li>
<\/ol>
关键问题点<\/h3>
在 http\/client.py<\/code> 中的 putheader<\/code> 方法：<\/p>
def<\/span> putheader<\/span>(self, header, *<\/span>values):
<\/span><\/span>    values =<\/span> list(values)
<\/span><\/span>    for<\/span> i, one_value in<\/span> enumerate(values):
<\/span><\/span>        if<\/span> hasattr(one_value, 'encode'<\/span>):
<\/span><\/span>            values[i] =<\/span> one_value.<\/span>encode('latin-1'<\/span>)
<\/span><\/span>        elif<\/span> isinstance(one_value, int):
<\/span><\/span>            values[i] =<\/span> str(one_value).<\/span>encode('ascii'<\/span>)
<\/span><\/span>    value =<\/span> b<\/span>'<\/span>\r\n\t<\/span>'<\/span>.<\/span>join(values)
<\/span><\/span>    header =<\/span> header +<\/span> b<\/span>': '<\/span> +<\/span> value
<\/span><\/span>    self.<\/span>_output(header)
<\/span><\/span><\/code><\/pre>问题在于：<\/p>

只检查了响应头中的 CRLF，没有检查发送的 URL<\/li>
允许在 URL 中嵌入 CRLF 控制字符<\/li>
<\/ol>
修复后的代码<\/h3>
修复后的 putheader<\/code> 方法增加了严格的头部验证：<\/p>
def<\/span> putheader<\/span>(self, header, *<\/span>values):
<\/span><\/span>    if<\/span> self.<\/span>__state !=<\/span> _CS_REQ_STARTED:
<\/span><\/span>        raise<\/span> CannotSendHeader()
<\/span><\/span>
<\/span><\/span>    if<\/span> hasattr(header, 'encode'<\/span>):
<\/span><\/span>        header =<\/span> header.<\/span>encode('ascii'<\/span>)
<\/span><\/span>
<\/span><\/span>    if<\/span> not<\/span> _is_legal_header_name(header):
<\/span><\/span>        raise<\/span> ValueError<\/span>('Invalid header name <\/span>%r<\/span>'<\/span> %<\/span> (header,))
<\/span><\/span>
<\/span><\/span>    values =<\/span> list(values)
<\/span><\/span>    for<\/span> i, one_value in<\/span> enumerate(values):
<\/span><\/span>        if<\/span> hasattr(one_value, 'encode'<\/span>):
<\/span><\/span>            values[i] =<\/span> one_value.<\/span>encode('latin-1'<\/span>)
<\/span><\/span>        elif<\/span> isinstance(one_value, int):
<\/span><\/span>            values[i] =<\/span> str(one_value).<\/span>encode('ascii'<\/span>)
<\/span><\/span>
<\/span><\/span>        if<\/span> _is_illegal_header_value(values[i]):
<\/span><\/span>            raise<\/span> ValueError<\/span>('Invalid header value <\/span>%r<\/span>'<\/span> %<\/span> (values[i],))
<\/span><\/span>
<\/span><\/span>    value =<\/span> b<\/span>'<\/span>\r\n\t<\/span>'<\/span>.<\/span>join(values)
<\/span><\/span>    header =<\/span> header +<\/span> b<\/span>': '<\/span> +<\/span> value
<\/span><\/span>    self.<\/span>_output(header)
<\/span><\/span><\/code><\/pre>新增的验证函数：<\/p>
_is_legal_header_name =<\/span> re.<\/span>compile(rb<\/span>'[^:\s][^:\r\n]*'<\/span>).<\/span>fullmatch
<\/span><\/span><\/code><\/pre>官方修复方案<\/h2>
官方在 putrequest<\/code> 方法中增加了对 URL 的严格检查：<\/p>

匹配所有 ASCII 码在 00 到 32 的控制字符<\/li>
同时匹配 \x7f<\/code> 字符<\/li>
<\/ul>
修复提交：

https:\/\/github.githistory.xyz\/python\/cpython\/blob\/96aeaec64738b730c719562125070a52ed570210\/Lib\/http\/client.py<\/p>
漏洞影响<\/h2>

允许攻击者操纵 HTTP 请求头<\/li>
可能导致 HTTP 请求走私、缓存投毒、跨站脚本等攻击<\/li>
影响所有使用 Python urllib 库的应用程序<\/li>
<\/ul>
防护建议<\/h2>

升级到修复后的 Python 版本<\/li>
对用户提供的 URL 进行严格验证<\/li>
避免直接使用用户输入构造 URL<\/li>
使用更现代的请求库如 requests<\/code> 替代 urllib<\/code><\/li>
<\/ol>
参考链接<\/h2>

https:\/\/bugs.python.org\/issue36276<\/li>
https:\/\/hg.python.org\/cpython\/rev\/bf3e1c9b80e9<\/li>
https:\/\/bugs.python.org\/issue30458#msg295067<\/li>
<\/ol>

Python urllib CRLF 注入漏洞分析 (CVE-2019-9740)<\/h1>

漏洞演示<\/h2>

漏洞分析<\/h2>

参考链接<\/h2> https:\/\/bugs.python.org\/issue36276<\/li> https:\/\/hg.python.org\/cpython\/rev\/bf3e1c9b80e9<\/li> https:\/\/bugs.python.org\/issue30458#msg295067<\/li> <\/ol>

参考链接<\/h2>

https:\/\/bugs.python.org\/issue36276<\/li>
https:\/\/hg.python.org\/cpython\/rev\/bf3e1c9b80e9<\/li>
https:\/\/bugs.python.org\/issue30458#msg295067<\/li> <\/ol>