14.2.0's decoding auth_digest parameters breaks authentication if "uri" contains encoded slashes
See original GitHub issue- I’m submitting a …
- bug report
- What is the current behavior?
Starting with 14.2, parameters are decoded in cherrypy/lib/auth_digest.py
:HttpDigestAuthorization
’s constructor.
One of the parameters is uri
. If uri
contains e.g. a slash, I get an authentication loop.
- If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
- start up application
- enter an URL, e.g.
testhost:8080/test_page?from=%2F
- enjoy the loop
- What is the expected behavior?
- serving the page
- Please tell us about your environment:
- Cheroot version: 6.3.1
- CherryPy version: 14.2.0 or 15.0.0
- Python version: 3.6 and 3.5
- OS: Mac OSX and Linux
- Browser: at_least([Chrome | Firefox])
(PR to follow.)
Issue Analytics
- State:
- Created 5 years ago
- Comments:12 (12 by maintainers)
Top Results From Across the Web
Is a slash ("/") equivalent to an encoded slash ("%2F") in the ...
From the data you gathered, I would tend to say that encoded "/" in an uri are meant to be seen as "/"...
Read more >decodeURIComponent() - JavaScript - MDN Web Docs - Mozilla
The decodeURIComponent() function decodes a Uniform Resource ... Thrown if encodedURI contains a % not followed by two hexadecimal digits, ...
Read more >Double Encoding | OWASP Foundation
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected ...
Read more >URL encoding slash character ('/') and Apache web servers
The problem is that Apache2 and Tomcat(5-7) forbids the use of this specific url-encoded character, in order to prevent some malicious use of...
Read more >URL Encode and Decode - Online
Encode to URL-encoded format or decode from it with various advanced options. Our site has an easy to use online tool to convert...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thank you very much for figuring out a solution and sorry if I was unclear; I do not know much about CherryPy internals.
It’s alright that you don’t know internals. You helped us a lot 😃