[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of twisted?

Free Ekanayaka <freee@debian.org> writes:

> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.

So I created the following code:

=== cut ===
from twisted.internet import reactor
from twisted.web.server import Site
from twisted.web.resource import Resource
import time
import os

class ClockPage(Resource):
    isLeaf = True

    def render_GET(self, request):
        return "<html><body>%s</body></html>" % (time.ctime(),)

resource = ClockPage()
factory = Site(resource)
reactor.listenTCP(8880, factory)
=== cut ===

Then I attempted to run from wheezy. In particular, I used the following

curl -H "Proxy: http://meow/"; http://localhost:8880/

I inspected the console output, but could not find any references to
meow or HTTP_PROXY:

{'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000', 'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root', 'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD': '/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID': 'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER': 'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME': 'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default', '_': '/usr/bin/python'}

I get similar results when testing on stretch. It looks like sid is the
same version 16.3.0-1.

I am inclined to say that no version of twisted, by itself, has this
vulnerability. However like I said earlier it is possible that
applications that use twisted have this vulnerability.
Brian May <bam@debian.org>

Reply to: