Headline
CVE-2022-39348: Merge pull request from GHSA-vg46-2rrj-3647 · twisted/twisted@f2f5e81
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
@@ -0,0 +1,134 @@ # -*- test-case-name: twisted.web.test.test_pages -*- # Copyright © Twisted Matrix Laboratories. # See LICENSE for details.
“"” Utility implementations of L{IResource}. “"”
__all__ = ( "errorPage", "notFound", "forbidden", )
from typing import cast
from twisted.web import http from twisted.web.iweb import IRenderable, IRequest from twisted.web.resource import IResource, Resource from twisted.web.template import renderElement, tags
class _ErrorPage(Resource): “"” L{_ErrorPage} is a resource that responds to all requests with a particular (parameterized) HTTP status code and an HTML body containing some descriptive text. This is useful for rendering simple error pages. @see: L{twisted.web.pages.errorPage} @ivar _code: An integer HTTP status code which will be used for the response. @ivar _brief: A short string which will be included in the response body as the page title. @ivar _detail: A longer string which will be included in the response body. “"”
def __init__(self, code: int, brief: str, detail: str) -> None: super().__init__() self._code: int = code self._brief: str = brief self._detail: str = detail
def render(self, request: IRequest) -> object: “"” Respond to all requests with the given HTTP status code and an HTML document containing the explanatory strings. “"” request.setResponseCode(self._code) request.setHeader(b"content-type", b"text/html; charset=utf-8") return renderElement( request, # cast because the type annotations here seem off; Tag isn’t an # IRenderable but also probably should be? See # https://github.com/twisted/twisted/issues/4982 cast( IRenderable, tags.html( tags.head(tags.title(f"{self._code} - {self._brief}")), tags.body(tags.h1(self._brief), tags.p(self._detail)), ), ), )
def getChild(self, path: bytes, request: IRequest) -> Resource: “"” Handle all requests for which L{_ErrorPage} lacks a child by returning this error page. @param path: A path segment. @param request: HTTP request “"” return self
def errorPage(code: int, brief: str, detail: str) -> IResource: “"” Build a resource that responds to all requests with a particular HTTP status code and an HTML body containing some descriptive text. This is useful for rendering simple error pages. The resource dynamically handles all paths below it. Use L{IResource.putChild()} override specific path. @param code: An integer HTTP status code which will be used for the response. @param brief: A short string which will be included in the response body as the page title. @param detail: A longer string which will be included in the response body. @returns: An L{IResource} “"” return _ErrorPage(code, brief, detail)
def notFound( brief: str = "No Such Resource", message: str = "Sorry. No luck finding that resource.", ) -> IResource: “"” Generate an L{IResource} with a 404 Not Found status code. @see: L{twisted.web.pages.errorPage} @param brief: A short string displayed as the page title. @param brief: A longer string displayed in the page body. @returns: An L{IResource} “"” return _ErrorPage(http.NOT_FOUND, brief, message)
def forbidden( brief: str = "Forbidden Resource", message: str = “Sorry, resource is forbidden.” ) -> IResource: “"” Generate an L{IResource} with a 403 Forbidden status code. @see: L{twisted.web.pages.errorPage} @param brief: A short string displayed as the page title. @param brief: A longer string displayed in the page body. @returns: An L{IResource} “"” return _ErrorPage(http.FORBIDDEN, brief, message)
Related news
Ubuntu Security Notice 6575-1 - It was discovered that Twisted incorrectly escaped host headers in certain 404 responses. A remote attacker could possibly use this issue to perform HTML and script injection attacks. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay responses and manipulate the responses of second requests.
Gentoo Linux Security Advisory 202301-2 - Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service. Versions less than 22.10.0 are affected.
When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. Example configuration: ```python from twisted.web.server import Site from twisted.web.vhost import NameVirtualHost from twisted.internet import reactor resource = NameVirtualHost() site = Site(resource) reactor.listenTCP(8080, site) reactor.run() ``` Output: ``` ❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/ <html> <head><title>404 - No Such Resource</title></head> <body> <h1>No Such Resource</h1> <p>host b'<h1>hello there</h1>' not in vhost map</p> </body> </html> ``` This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.