Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34457: Release Version 1.3.0 · MechanicalSoup/MechanicalSoup

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form. All users of MechanicalSoup’s form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.

CVE
Open in Source
#vulnerability#web

Breaking changes

  • To prevent malicious web servers from reading arbitrary files from the client, files must now be opened explicitly by the user in order to upload their contents in form submission. For example, instead of:

    browser[“upload”] = “/path/to/file”

    you would now use:

    browser[“upload”] = open("/path/to/file", “rb”)

    This remediates CVE-2023-34457. Our thanks to @e-c-d for reporting and helping to fix the vulnerability!

Main changes

  • Added support for Python 3.11.

  • Allow submitting a form with no submit element. This can be achieved by passing submit=False to StatefulBrowser.submit_selected. Thanks @alexreg! [#480]

Related news

GHSA-x456-3ccm-m6j4: MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form

### Summary A malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. ### Details This affects the extremely common pattern of form submission: ```python b = mechanicalsoup.StatefulBrowser() b.select_form(...) b.submit_selected() ``` The problem is with the code in `browser.Browser.get_request_kwargs`: ```python if tag.get("type", "").lower() == "file" and multipart: filepath = value if filepath != "" and isinstance(filepath, str): content = open(filepath, "rb") else: content = "" filename = os.path.basename(filepath) # If value is the empty string, we still pass it # for consistency with browsers (see # https://github.com/MechanicalSoup/MechanicalSoup/issues/250). files[name] = (filename, content) ``` The file path is taken from the bs4 tag "value" attribute. However, this path will default to whatever the server sends. So if a malici...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE