.. _urllib_parse_newline_tabs:

urllib.parse should sanitize urls containing ASCII newline and tabs.
====================================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2022-0391>`_.

A security issue was reported by Mike Lissner wherein an attacker was able
to use ``\r\n`` in the url path, the urlparse method didn't sanitize and
allowed those characters be present in the request::

    >>> from urllib.parse import urlsplit
    >>> urlsplit("java\nscript:alert('bad')")
    SplitResult(scheme='', netloc='', path="java\nscript:alert('bad')", query='', fragment='')

Firefox and other browsers ignore newlines in the scheme. From the
browser console::

    >> new URL("java\nscript:alert(bad)")
    << URL { href: "javascript:alert(bad)", origin: "null", protocol:
    "javascript:", username: "", password: "", host: "", hostname: "", port: "", pathname: "alert(bad)", search: ""

Mozilla Developers informed about the controlling specification for URLs is
in fact defined by the "URL Spec" from WHATWG which updates RFC 3986 and
specifies that tabs and newlines should be stripped from the scheme.

See: https://url.spec.whatwg.org/#concept-basic-url-parser

That link defines an automaton for URL parsing. From that link, steps 2 and
3 of scheme parsing read:

If input contains any ASCII tab or newline, validation error.
3. Remove all ASCII tab or newline from input.

urlparse module behavior should be updated, and an ASCII tab or newline
should be removed from the url (sanitized) before it is sent to the
request, as WHATWG spec.

More commits:

* `3.11 <https://github.com/python/cpython/commit/985ac016373403e8ad41f8d563c4355ffa8d49ff>`__
* `3.10 <https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705>`__
* `3.9 <https://github.com/python/cpython/commit/8a595744e696a0fb92dccc5d4e45da41571270a1>`__

Doc changes:

* `3.10 <https://github.com/python/cpython/commit/f14015adf52014c2345522fe32d43f15f001c986>`__
* `3.9 <https://github.com/python/cpython/commit/0593ae84af9e0e8332644e7ed13d7fd8306c4e1a>`__
* `3.8 <https://github.com/python/cpython/commit/634da2de88af06eb8c6ebdb90d8c00005847063d>`__
* `3.7 <https://github.com/python/cpython/commit/c723d5191110f99849f7b0944820f6c3cd5f7747>`__
* `3.6 <https://github.com/python/cpython/commit/6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5>`__

Dates:

* Disclosure date: **2021-04-18** (Python issue bpo-43882 reported)
* Reported at: 2021-03-16 (email sent to the PSRT list)
* Reported by: Mike Lissner

Fixed In
--------

* Python **3.6.14** (2021-06-28) fixed by `commit 6c472d3 (branch 3.6) <https://github.com/python/cpython/commit/6c472d3a1d334d4eeb4a25eba7bf3b01611bf667>`_ (2021-05-06)
* Python **3.7.11** (2021-06-28) fixed by `commit f4dac7e (branch 3.7) <https://github.com/python/cpython/commit/f4dac7ec55477a6c5d965e594e74bd6bda786903>`_ (2021-05-06)
* Python **3.8.11** (2021-06-28) fixed by `commit 515a7bc (branch 3.8) <https://github.com/python/cpython/commit/515a7bc4e13645d0945b46a8e1d9102b918cd407>`_ (2021-05-05)
* Python **3.9.5** (2021-05-03) fixed by `commit 491fde0 (branch 3.9) <https://github.com/python/cpython/commit/491fde0161d5e527eeff8586dd3972d7d3a631a7>`_ (2021-04-29)
* Python **3.10.0** (2021-10-04) fixed by `commit 76cd81d (branch 3.10) <https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4>`_ (2021-04-29)

Python issue
------------

[security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newline and tabs.

* Python issue: `bpo-43882 <https://bugs.python.org/issue43882>`_
* Creation date: 2021-04-18
* Reporter: Senthil Kumaran

CVE-2022-0391
-------------

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

* CVE ID: `CVE-2022-0391 <https://nvd.nist.gov/vuln/detail/CVE-2022-0391/>`_
* Published: 2022-02-09
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2021-04-18** as reference:

* 2021-03-16 (**-33 days**): Reported (email sent to the PSRT list)
* 2021-04-18: `Python issue bpo-43882 <https://bugs.python.org/issue43882>`_ reported by Senthil Kumaran
* 2021-04-29 (**+11 days**): `commit 491fde0 (branch 3.9) <https://github.com/python/cpython/commit/491fde0161d5e527eeff8586dd3972d7d3a631a7>`_
* 2021-04-29 (**+11 days**): `commit 76cd81d (branch 3.10) <https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4>`_
* 2021-05-03 (**+15 days**): Python 3.9.5 released
* 2021-05-05 (**+17 days**): `commit 515a7bc (branch 3.8) <https://github.com/python/cpython/commit/515a7bc4e13645d0945b46a8e1d9102b918cd407>`_
* 2021-05-06 (**+18 days**): `commit 6c472d3 (branch 3.6) <https://github.com/python/cpython/commit/6c472d3a1d334d4eeb4a25eba7bf3b01611bf667>`_
* 2021-05-06 (**+18 days**): `commit f4dac7e (branch 3.7) <https://github.com/python/cpython/commit/f4dac7ec55477a6c5d965e594e74bd6bda786903>`_
* 2021-06-28 (**+71 days**): Python 3.6.14 released
* 2021-06-28 (**+71 days**): Python 3.7.11 released
* 2021-06-28 (**+71 days**): Python 3.8.11 released
* 2021-10-04: Python 3.10.0 released
* 2022-02-09 (**+297 days**): CVE-2022-0391 published

Links
-----

* https://bugzilla.redhat.com/show_bug.cgi?id=2047376