△Click " Python cat " above to follow, and reply " 1 " to receive the e-book
Tidy up: Python cats
Original: https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.htm
A high-severity security vulnerability has been discovered in Python's URL parsing function, which can bypass domain or protocol filtering methods implemented with blacklists, resulting in arbitrary file reading and command execution.
The CERT Coordination Center (CERT/CC) said in a notice on Friday: "If the entire URL starts with a whitespace character, urlparse
there will be a parsing problem. This problem will affect the parsing of the host name and the request protocol, and eventually cause the block list to be blocked. Bypass."
The vulnerability is tracked as CVE-2023-24329 and has a CVSS score of 7.5. Security researcher Yebo Cao discovered and reported this vulnerability in August 2022.
This vulnerability will be fixed in the following releases:
>= 3.12
3.11.x >= 3.11.4
3.10.x >= 3.10.12
3.9.x >= 3.9.17
3.8.x >= 3.8.17
3.7.x >= 3.7.17
urllib.parse
is a widely used parsing function that breaks down a URL into its relevant components, or combines scattered content into a single URL string.
CVE-2023-24329 arises from a lack of validation of input for URLs that begin with a whitespace character (eg "https://youtube.com").
"While blacklisting is considered suboptimal, it is still necessary in many cases," Cao said. Can cause SSRF (Server Side Request Forgery) and RCE (Remote Code Execution) in a large number of scenarios ."
The Python cat technical exchange group is open! In the group, there are current employees of domestic first- and second-tier factories, as well as students studying in domestic and foreign colleges and universities. There are programming veterans with more than ten years of coding experience, and newcomers who have just started primary and secondary schools. The learning atmosphere is good! Students who want to join the group, please reply to the " communication group " in the official account to get Brother Mao's WeChat (decline the advertising party, if you are the one!) ~
Not enough? try them
▲ Python 3.12 preview: more powerful f-string!
▲ Eight schemes for implementing timed tasks in Python!
▲ 8.5K Star! A powerful tool for memory analysis of Python code
▲ The fastest code analysis tool, Ruff is sweeping the Python circle!
▲ Advanced Python: How Descriptors Work
▲ Python Trends Weekly #15: How to analyze the performance of asynchronous tasks?
If you found this article helpful
Please generously share and like , thank you !