Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue when scpd_url contains something strange #9

Open
hotab opened this issue Aug 10, 2020 · 6 comments
Open

Issue when scpd_url contains something strange #9

hotab opened this issue Aug 10, 2020 · 6 comments
Labels
bug Something isn't working

Comments

@hotab
Copy link

hotab commented Aug 10, 2020
edited by 5kyc0d3r
Loading

The library will break in different ways when scpd_url contains something other than url part beginning with /.
In my specific example, a router prefixes the url with full url.

Specifically, in this line:

upnpy/upnpy/ssdp/SSDPDevice.py

Line 293 in 9b5e005

service_description = utils.make_http_request(self.base_url + self.scpd_url).read()

If you have base_url == http://[router_ip]:1900 and scpd_url = http://[router_ip]:1900/some.xml - you will get a name resolution error.

Second error from here: #7 may be related.
@5kyc0d3r 5kyc0d3r added the bug Something isn't working label Aug 14, 2020
@5kyc0d3r 5kyc0d3r mentioned this issue Aug 14, 2020
Open
@5kyc0d3r
Copy link
Owner

Hi, thank you for your issue. Does 1be5dab fix this? Please upgrade upnpy:

pip install upnpy --upgrade

@hotab
Copy link
Author

hotab commented Aug 15, 2020

Yes, the commit seems to fix the immediate issue. But, in general it may be a somewhat bad idea. Normally, services would not be allowed to issue a url outside of base_url.

but if say base_url = http://192.168.0.1, but ssdp_url is http://google.com/some_url - traffic would go to google.com

Then we may pass another scheme, like file://.

I think we need a bit more of whitelisting here.

@5kyc0d3r
Copy link
Owner

Ah yes, I think I see what you mean. I'm currently adding some more checks.

@5kyc0d3r
Copy link
Owner

I pushed some changes in eb798af which should (hopefully) fix these issues.

@hotab
Copy link
Author

hotab commented Aug 16, 2020
edited
Loading 

>>> urlparse("http://192.168.0.1:1000").hostname
'192.168.0.1'
>>> urlparse("http://192.168.0.1:2000").hostname
'192.168.0.1'

There is still an issue with ports.
I think best way is to have a configurable strict mode which you can set to:

  1. Allow only http/https scheme, host, and port
  2. Allow only http/https scheme and host but allow to change ports
  3. Allow only http/https scheme, but allow to vary host and port.
  4. Allow all base_urls.

Also, scheme may go up from http to https, but prob not downwards.

Default I think makes sense to stay at what it is now - changing ports allowed, but not hostname or scheme downgrade. Not sure if this will follow standards, tho.

Also, I think it would make sense to reconstruct scpd_url from base components instead of allowing it to stay the same to avoid issues with different url parsing used (e.g. scheme://username:password@host:port/path...). E.g. these slides: https://www.slideshare.net/codeblue_jp/a-new-era-of-ssrf-exploiting-url-parser-in-trending-programming-languages-by-orange-tsai

@5kyc0d3r
Copy link
Owner

Sounds good. I will start implementing these as soon as I get back to the PC 😃.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hotab @5kyc0d3r