Headline
CVE-2021-21330: Merge branch 'ghsa-v6wp-4m6f-gcjg' into master · aio-libs/aiohttp@2545222
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware
middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware
in your applications.
@@ -361,6 +361,38 @@ async def test_cannot_remove_and_add_slash(self) -> None:
with pytest.raises(AssertionError):
web.normalize_path_middleware(append_slash=True, remove_slash=True)
@pytest.mark.parametrize(
["append_slash", “remove_slash”],
[
(True, False),
(False, True),
(False, False),
],
)
async def test_open_redirects(
self, append_slash: bool, remove_slash: bool, aiohttp_client: Any
) -> None:
async def handle(request: web.Request) -> web.StreamResponse:
pytest.fail(
msg="Security advisory ‘GHSA-v6wp-4m6f-gcjg’ test handler "
"matched unexpectedly",
pytrace=False,
)
app = web.Application(
middlewares=[
web.normalize_path_middleware(
append_slash=append_slash, remove_slash=remove_slash
)
]
)
app.add_routes([web.get("/", handle), web.get("/google.com", handle)])
client = await aiohttp_client(app, server_kwargs={"skip_url_asserts": True})
resp = await client.get("//google.com", allow_redirects=False)
assert resp.status == 308
assert resp.headers[“Location”] == “/google.com”
assert resp.url.query == URL(“//google.com”).query
async def test_bug_3669(aiohttp_client: Any):
async def paymethod(request):
Related news
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random us...
Gentoo Linux Security Advisory 202208-19 - An open redirect vulnerability has been discovered in aiohttp. Versions less than 3.7.4 are affected.