Skip Menu |

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 124679
Status: rejected
Priority: 0/
Queue: libwww-perl
People
Owner: Nobody in particular
Requestors: hackyzh001 [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Mar 05 04:51:54 2018 hackyzh001 [...] gmail.com - Ticket created
From: hackyzh001 [...] gmail.com
  Mon Mar 05 05:12:47 2018 hackyzh001 [...] gmail.com - Subject changed from (no value) to 'redirect vulnerability in get()'
  Mon Mar 05 05:12:47 2018 hackyzh001 [...] gmail.com - Status changed from 'new' to 'open'
  Mon Mar 05 05:12:47 2018 hackyzh001 [...] gmail.com - Severity Critical added
  Mon Mar 05 05:16:45 2018 hackyzh001 [...] gmail.com - Correspondence added
The function get No filter file protocol, you can leak information or denial of service. Proof of Concept: my $url = 'file:///etc/passwd'; use LWP::Simple; my $content = get $url; print $content;
  Mon Mar 05 05:17:18 2018 hackyzh001 [...] gmail.com - Subject changed from 'redirect vulnerability in get()' to 'libwww-perl:redirect vulnerability in get()'
  Mon Mar 05 08:34:59 2018 hackyzh001 [...] gmail.com - Forwarded Transaction #1774740 to perl5-security-report@perl.org
  Mon Mar 05 08:35:35 2018 perl5-security-report-followup [...] perl.org - Correspondence added
Subject: [perl #132938] AutoReply: Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in get()
Date: Mon, 05 Mar 2018 05:35:23 -0800
To: bug-libwww-perl [...] rt.cpan.org
From: perl5-security-report-followup [...] perl.org
Greetings, This message has been automatically generated in response to the creation of a perl security report regarding: "Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in get()". There is no need to reply to this message right now. Your ticket has been assigned an ID of [perl #132938]. Please include the string: [perl #132938] in the subject line of all future correspondence about this issue. To do so, you may reply to this message (please delete unnecessary quotes and text.) Thank you, perl5-security-report-followup@perl.org ------------------------------------------------------------------------- Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by rtperl.develooper.com (Postfix) with ESMTP id D88741D9 for <rt-perl5-security@rtperl.dev>; Mon, 5 Mar 2018 05:35:22 -0800 (PST) Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id AF06412119E for <rt-perl5-security@rtperl.dev>; Mon, 5 Mar 2018 05:35:21 -0800 (PST) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 65EB71211A8 for <rt-perl5-security@rtperl.dev>; Mon, 5 Mar 2018 05:35:20 -0800 (PST) Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 318561211B8 for <rt-perl5-security@rt.perl.org>; Mon, 5 Mar 2018 05:35:19 -0800 (PST) Received: by x6.develooper.com (Postfix, from userid 514) id D17CB257B; Mon, 5 Mar 2018 05:35:19 -0800 (PST) Received: (qmail 12249 invoked from network); 5 Mar 2018 13:35:19 -0000 Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com with SMTP; 5 Mar 2018 13:35:19 -0000 Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 38E8D1211A6 for <perlmail-perl5-security-report@onion.perl.org>; Mon, 5 Mar 2018 05:35:19 -0800 (PST) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 1E95812119E for <perlmail-perl5-security-report@onion.perl.org>; Mon, 5 Mar 2018 05:35:17 -0800 (PST) Received: from rtcpan.develooper.com (rtcpan.develooper.com [207.171.7.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 1928A12118E for <perl5-security-report@perl.org>; Mon, 5 Mar 2018 05:34:59 -0800 (PST) Received: by rtcpan.develooper.com (Postfix, from userid 536) id 620D2827; Mon, 5 Mar 2018 05:34:59 -0800 (PST) Message-ID: <20180305133459.620D2827@rtcpan.develooper.com> Date: Mon, 5 Mar 2018 08:34:59 -0500 X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.5.132416 X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.5.132416 From: bug-libwww-perl@rt.cpan.org From perlmail@x6.develooper.com Mon Mar 5 05:35:23 2018 Content-Type: multipart/mixed; boundary="----------=_1520256899-3662-0" X-Original-To: rt-perl5-security@rtperl.dev Subject: Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in get() To: perl5-security-report@perl.org X-RT-Mail-Extension: perl5-security X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx3.develooper.com CC: Delivered-To: rt-perl5-security@rtperl.dev Delivered-To: perlmail-perl5-security-report@onion.perl.org Return-Path: <perlmail@x6.develooper.com> X-Spam-Status: No, score=-2.2 required=6.0 tests=ALL_TRUSTED,BAYES_00, MIME_HEADER_CTYPE_ONLY,T_TVD_MIME_NO_HEADERS,URIBL_BLOCKED autolearn=no version=3.3.1 X-RT-Interface: Email
  Mon Mar 05 08:35:36 2018 The RT System itself - Subject changed from 'libwww-perl:redirect vulnerability in get()' to 'libwww-perl:redirect vulnerability in get() [perl #132938]'
  Mon Mar 05 23:35:10 2018 hackyzh001 [...] gmail.com - Correspondence added
在2018-三月-05 08:35:35 星期一时,perl5-security-report-followup@perl.org写到: Show quoted text
> Greetings, > > This message has been automatically generated in response to the > creation of a perl security report regarding: > "Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in > get()". > > There is no need to reply to this message right now. Your ticket has > been > assigned an ID of [perl #132938]. > > Please include the string: > > [perl #132938] > > in the subject line of all future correspondence about this issue. To > do so, > you may reply to this message (please delete unnecessary quotes and > text.) > > Thank you, > perl5-security-report-followup@perl.org > > ------------------------------------------------------------------------- > Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by > rtperl.develooper.com (Postfix) with ESMTP id D88741D9 for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:22 -0800 (PST) > Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost > (Postfix) with ESMTP id AF06412119E for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:21 -0800 (PST) > Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by > localhost (Postfix) with SMTP id 65EB71211A8 for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:20 -0800 (PST) > Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) > (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client > certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id > 318561211B8 for <rt-perl5-security@rt.perl.org>; Mon, 5 Mar 2018 > 05:35:19 -0800 (PST) > Received: by x6.develooper.com (Postfix, from userid 514) id > D17CB257B; Mon, 5 Mar 2018 05:35:19 -0800 (PST) > Received: (qmail 12249 invoked from network); 5 Mar 2018 13:35:19 > -0000 > Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com > with SMTP; 5 Mar 2018 13:35:19 -0000 > Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost > (Postfix) with ESMTP id 38E8D1211A6 for <perlmail-perl5-security- > report@onion.perl.org>; Mon, 5 Mar 2018 05:35:19 -0800 (PST) > Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by > localhost (Postfix) with SMTP id 1E95812119E for <perlmail-perl5- > security-report@onion.perl.org>; Mon, 5 Mar 2018 05:35:17 -0800 (PST) > Received: from rtcpan.develooper.com (rtcpan.develooper.com > [207.171.7.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits)) (No client certificate requested) by xx1.develooper.com > (Postfix) with ESMTPS id 1928A12118E for <perl5-security- > report@perl.org>; Mon, 5 Mar 2018 05:34:59 -0800 (PST) > Received: by rtcpan.develooper.com (Postfix, from userid 536) id > 620D2827; Mon, 5 Mar 2018 05:34:59 -0800 (PST) > Message-ID: <20180305133459.620D2827@rtcpan.develooper.com> > Date: Mon, 5 Mar 2018 08:34:59 -0500 > X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam- > Data: 2018.3.5.132416 > X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam- > Data: 2018.3.5.132416 > From: bug-libwww-perl@rt.cpan.org > From perlmail@x6.develooper.com Mon Mar 5 05:35:23 2018 > Content-Type: multipart/mixed; boundary="----------=_1520256899-3662- > 0" > X-Original-To: rt-perl5-security@rtperl.dev > Subject: Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability > in get() > To: perl5-security-report@perl.org > X-RT-Mail-Extension: perl5-security > X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on > mx3.develooper.com > CC: > Delivered-To: rt-perl5-security@rtperl.dev > Delivered-To: perlmail-perl5-security-report@onion.perl.org > Return-Path: <perlmail@x6.develooper.com> > X-Spam-Status: No, score=-2.2 required=6.0 tests=ALL_TRUSTED,BAYES_00, > MIME_HEADER_CTYPE_ONLY,T_TVD_MIME_NO_HEADERS,URIBL_BLOCKED > autolearn=no version=3.3.1 > X-RT-Interface: Email
So,someone has been dealing with this bug, right?This bug platform gives people the feeling is not very good.Until now, I still do not quite understand.
  Mon Mar 05 23:35:28 2018 hackyzh001 [...] gmail.com - Correspondence added
RT-Send-CC: perl5-security-report-followup [...] perl.org
在2018-三月-05 08:35:35 星期一时,perl5-security-report-followup@perl.org写到: Show quoted text
> Greetings, > > This message has been automatically generated in response to the > creation of a perl security report regarding: > "Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in > get()". > > There is no need to reply to this message right now. Your ticket has > been > assigned an ID of [perl #132938]. > > Please include the string: > > [perl #132938] > > in the subject line of all future correspondence about this issue. To > do so, > you may reply to this message (please delete unnecessary quotes and > text.) > > Thank you, > perl5-security-report-followup@perl.org > > ------------------------------------------------------------------------- > Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by > rtperl.develooper.com (Postfix) with ESMTP id D88741D9 for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:22 -0800 (PST) > Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost > (Postfix) with ESMTP id AF06412119E for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:21 -0800 (PST) > Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by > localhost (Postfix) with SMTP id 65EB71211A8 for <rt-perl5- > security@rtperl.dev>; Mon, 5 Mar 2018 05:35:20 -0800 (PST) > Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) > (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client > certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id > 318561211B8 for <rt-perl5-security@rt.perl.org>; Mon, 5 Mar 2018 > 05:35:19 -0800 (PST) > Received: by x6.develooper.com (Postfix, from userid 514) id > D17CB257B; Mon, 5 Mar 2018 05:35:19 -0800 (PST) > Received: (qmail 12249 invoked from network); 5 Mar 2018 13:35:19 > -0000 > Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com > with SMTP; 5 Mar 2018 13:35:19 -0000 > Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost > (Postfix) with ESMTP id 38E8D1211A6 for <perlmail-perl5-security- > report@onion.perl.org>; Mon, 5 Mar 2018 05:35:19 -0800 (PST) > Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by > localhost (Postfix) with SMTP id 1E95812119E for <perlmail-perl5- > security-report@onion.perl.org>; Mon, 5 Mar 2018 05:35:17 -0800 (PST) > Received: from rtcpan.develooper.com (rtcpan.develooper.com > [207.171.7.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 > bits)) (No client certificate requested) by xx1.develooper.com > (Postfix) with ESMTPS id 1928A12118E for <perl5-security- > report@perl.org>; Mon, 5 Mar 2018 05:34:59 -0800 (PST) > Received: by rtcpan.develooper.com (Postfix, from userid 536) id > 620D2827; Mon, 5 Mar 2018 05:34:59 -0800 (PST) > Message-ID: <20180305133459.620D2827@rtcpan.develooper.com> > Date: Mon, 5 Mar 2018 08:34:59 -0500 > X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam- > Data: 2018.3.5.132416 > X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam- > Data: 2018.3.5.132416 > From: bug-libwww-perl@rt.cpan.org > From perlmail@x6.develooper.com Mon Mar 5 05:35:23 2018 > Content-Type: multipart/mixed; boundary="----------=_1520256899-3662- > 0" > X-Original-To: rt-perl5-security@rtperl.dev > Subject: Fwd: [rt.cpan.org #124679] libwww-perl:redirect vulnerability > in get() > To: perl5-security-report@perl.org > X-RT-Mail-Extension: perl5-security > X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on > mx3.develooper.com > CC: > Delivered-To: rt-perl5-security@rtperl.dev > Delivered-To: perlmail-perl5-security-report@onion.perl.org > Return-Path: <perlmail@x6.develooper.com> > X-Spam-Status: No, score=-2.2 required=6.0 tests=ALL_TRUSTED,BAYES_00, > MIME_HEADER_CTYPE_ONLY,T_TVD_MIME_NO_HEADERS,URIBL_BLOCKED > autolearn=no version=3.3.1 > X-RT-Interface: Email
So,someone has been dealing with this bug, right?This bug platform gives people the feeling is not very good.Until now, I still do not quite understand.
  Tue Mar 06 04:43:44 2018 davem [...] iabyn.com - Correspondence added
Subject: Re: [rt.cpan.org #124679] libwww-perl:redirect vulnerability in get() [perl #132938]
Date: Tue, 6 Mar 2018 09:43:22 +0000
To: yao zhihua via RT <bug-libwww-perl [...] rt.cpan.org>
From: Dave Mitchell <davem [...] iabyn.com>
On Mon, Mar 05, 2018 at 11:35:29PM -0500, yao zhihua via RT wrote: Show quoted text
> So,someone has been dealing with this bug, right?This bug platform > gives people the feeling is not very good.Until now, I still do not > quite understand.
This ticket concerns a module which is not part of the perl core, so I am closing the perl ticket, perl #132938. The ticket you also opened against the module on rt.cpan.org remains, #124679, open, and any further discussion should take place against that ticket. Please remove perl5-security-report-followup from the Cc: list on any replies. -- Diplomacy is telling someone to go to hell in such a way that they'll look forward to the trip
  Tue Mar 06 07:12:50 2018 hackyzh001 [...] gmail.com - Correspondence added
RT-Send-CC: davem [...] iabyn.com
在2018-三月-06 04:43:44 星期二时,davem@iabyn.com写到: Show quoted text
> On Mon, Mar 05, 2018 at 11:35:29PM -0500, yao zhihua via RT wrote:
> > So,someone has been dealing with this bug, right?This bug platform > > gives people the feeling is not very good.Until now, I still do not > > quite understand.
> > This ticket concerns a module which is not part of the perl core, > so I am closing the perl ticket, perl #132938. > > The ticket you also opened against the module on rt.cpan.org remains, > #124679, > open, and any further discussion should take place against that ticket. > > Please remove perl5-security-report-followup from the Cc: list on any > replies. >
Okay,due to my first submission, there will be some problems.
  Tue Mar 06 09:26:40 2018 olaf [...] wundersolutions.com - Correspondence added
On Tue Mar 06 07:12:50 2018, hackyzh001@gmail.com wrote: Show quoted text
> 在2018-三月-06 04:43:44 星期二时,davem@iabyn.com写到:
> > On Mon, Mar 05, 2018 at 11:35:29PM -0500, yao zhihua via RT wrote:
> > > So,someone has been dealing with this bug, right?This bug platform > > > gives people the feeling is not very good.Until now, I still do not > > > quite understand.
> > > > This ticket concerns a module which is not part of the perl core, > > so I am closing the perl ticket, perl #132938. > > > > The ticket you also opened against the module on rt.cpan.org remains, > > #124679, > > open, and any further discussion should take place against that ticket. > > > > Please remove perl5-security-report-followup from the Cc: list on any > > replies. > >
> > > Okay,due to my first submission, there will be some problems.
To protect yourself from this situation, it's better to use LWP::UserAgent See https://metacpan.org/pod/LWP::UserAgent#protocols_allowed
  Tue Mar 06 09:43:08 2018 cwhitener [...] gmail.com - Correspondence added
Hi, It seems that LWP's file protocol is doing exactly what it's supposed to do, it allows you to access files on the local machine. perl -MLWP::Simple -E 'my $url=q(file:///etc/passwd); say(get($url))' It properly returns the contents of the file you told it to. I don't see this as a bug of the library but as something the developer should protect against. If we arbitrarily say what the file protocol can and can't access, we then try to make the library something it's not. Note, cat /etc/passwd will do the same thing. If it has access to read the file and dump its contents, it does. It doesn't stop and go, "hey, you shouldn't cat this particular file". I don't think this is a bug. -- Chase
  Tue Mar 06 09:45:44 2018 olaf [...] wundersolutions.com - Status changed from 'open' to 'rejected'
  Tue Mar 06 20:01:04 2018 hackyzh001 [...] gmail.com - Correspondence added
在2018-三月-06 09:43:08 星期二时,CAPOEIRAB写到: Show quoted text
> Hi, > > It seems that LWP's file protocol is doing exactly what it's supposed > to do, it allows you to access files on the local machine. > > perl -MLWP::Simple -E 'my $url=q(file:///etc/passwd); say(get($url))' > > It properly returns the contents of the file you told it to. I don't > see this as a bug of the library but as something the developer should > protect against. If we arbitrarily say what the file protocol can and > can't access, we then try to make the library something it's not. > > Note, cat /etc/passwd will do the same thing. If it has access to read > the file and dump its contents, it does. It doesn't stop and go, "hey, > you shouldn't cat this particular file". > > I don't think this is a bug. > > -- Chase
Hi, I think this is a flaw, this library is for the http protocol, should not allow other protocols, such as file protocol, let it be resolved.