PyPI - uploadserver - Versions diffs - 6.0.2__tar.gz → 6.0.3__tar.gz - Mend

uploadserver 6.0.2tar.gz → 6.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

{uploadserver-6.0.2/uploadserver.egg-info → uploadserver-6.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: uploadserver
-Version: 6.0.2
+Version: 6.0.3
 Summary: Python's http.server extended to include a file upload page
 Home-page: https://github.com/Densaugeo/uploadserver
 Author: Densaugeo
@@ -203,6 +203,11 @@ options:
 - File field in upload form renamed from `file_1` to `files`, to reflect support for multiple file upload. Scripts using cURL will need to be upadted with the new field name.
 - Successful uploads now respond with 204 No Content instead of 200 OK, so that cURL will not default to printing the upload page at the terminal.
+## Security Issues
+- Patched in `6.0.3`: Timing side channel. Introduced in `1.0.0`. Unpatched versions using the `--basic-auth`, `--basic-auth-upload`, or `--token` options are vulnerable to revealing password information through response timing.
+- Patched in `6.0.2`: DoS vulnerability. Introduced in `4.1.0`. Unpatched versions using the `--basic-auth` or `--basic-auth-upload` options generate stack traces in response to certain requests, which could be used to pollute logs or exhaust storage.
 ## Acknowledgements
 Much of `main()` was copied from Python's `http.server`.
@@ -217,4 +222,6 @@ Thanks to shuangye for finding an easy way to handle large file uploads, and imp
 Thanks to abbbe for adding HTTP basic auth (has now replaced the token option).
+Thanks to 0xLordMahesh for reporting the timing side channel and DoS vulnerabilities patched in 6.0.2 and 6.0.3.
 Thanks to SimarMugattarov, theo543, and poshul for minor updates.

{uploadserver-6.0.2 → uploadserver-6.0.3}/README.md RENAMED Viewed

@@ -180,6 +180,11 @@ options:
 - File field in upload form renamed from `file_1` to `files`, to reflect support for multiple file upload. Scripts using cURL will need to be upadted with the new field name.
 - Successful uploads now respond with 204 No Content instead of 200 OK, so that cURL will not default to printing the upload page at the terminal.
+## Security Issues
+- Patched in `6.0.3`: Timing side channel. Introduced in `1.0.0`. Unpatched versions using the `--basic-auth`, `--basic-auth-upload`, or `--token` options are vulnerable to revealing password information through response timing.
+- Patched in `6.0.2`: DoS vulnerability. Introduced in `4.1.0`. Unpatched versions using the `--basic-auth` or `--basic-auth-upload` options generate stack traces in response to certain requests, which could be used to pollute logs or exhaust storage.
 ## Acknowledgements
 Much of `main()` was copied from Python's `http.server`.
@@ -194,4 +199,6 @@ Thanks to shuangye for finding an easy way to handle large file uploads, and imp
 Thanks to abbbe for adding HTTP basic auth (has now replaced the token option).
+Thanks to 0xLordMahesh for reporting the timing side channel and DoS vulnerabilities patched in 6.0.2 and 6.0.3.
 Thanks to SimarMugattarov, theo543, and poshul for minor updates.

{uploadserver-6.0.2 → uploadserver-6.0.3}/setup.py RENAMED Viewed

@@ -5,7 +5,7 @@ with open('README.md', 'r') as fh:
 setuptools.setup(
     name='uploadserver',
-    version='6.0.2',
+    version='6.0.3',
     author='Densaugeo',
     author_email='author@example.com',
     description='Python\'s http.server extended to include a file upload page',

{uploadserver-6.0.2 → uploadserver-6.0.3}/uploadserver/__init__.py RENAMED Viewed

@@ -1,5 +1,5 @@
 import http.server, http, pathlib, sys, argparse, ssl, os, builtins, tempfile
-import ipaddress
+import ipaddress, hmac
 import base64, binascii, functools, contextlib
 # Does not seem to do be used, but leaving this import out causes uploadserver
@@ -168,7 +168,7 @@ def receive_upload(handler: http.server.BaseHTTPRequestHandler,
 # True return type is tuple[bool, str | None], but Python 3.9 doesn't support |
 def check_http_authentication_header(
-handler: http.server.BaseHTTPRequestHandler, auth: str,
+handler: http.server.BaseHTTPRequestHandler, auth: tuple[bytes, bytes],
 ) -> tuple[bool, str]:
     auth_header = handler.headers.get('Authorization')
     if auth_header is None:
@@ -187,9 +187,11 @@ handler: http.server.BaseHTTPRequestHandler, auth: str,
         return (False, 'Credentials incorrectly formatted')
     http_username, http_password = http_username_password.split(':', 1)
-    args_username, args_password = auth.split(':', 1)
-    if http_username != args_username: return (False, 'Bad username')
-    if http_password != args_password: return (False, 'Bad password')
+    args_username, args_password = auth
+    if not hmac.compare_digest(bytes(http_username, 'utf8'), args_username):
+        return (False, 'Bad username')
+    if not hmac.compare_digest(bytes(http_password, 'utf8'), args_password):
+        return (False, 'Bad password')
     return (True, None)
@@ -206,12 +208,12 @@ def check_http_authentication(handler: http.server.BaseHTTPRequestHandler
             return True
         # If only --basic-auth is supplied, it's used for all requests
-        valid, message = check_http_authentication_header(handler, args.basic_auth)
+        valid, message = check_http_authentication_header(handler, basic_auth)
     else:
         # If --basic-auth-upload is supplied, it's always required for /upload
         if handler.path == '/upload':
             valid, message = check_http_authentication_header(handler,
-                args.basic_auth_upload)
+                basic_auth_upload)
         else:
             # For paths outside /upload, no auth is required when --basic-auth
             # is not supplied
@@ -221,10 +223,12 @@ def check_http_authentication(handler: http.server.BaseHTTPRequestHandler
             # For paths outise /upload, if both auths are supplied both are
             # accepted
             else:
-                valid, message = check_http_authentication_header(handler, args.basic_auth)
+                valid, message = check_http_authentication_header(handler,
+                    basic_auth)
                 if not valid:
-                    valid, message = check_http_authentication_header(handler, args.basic_auth_upload)
+                    valid, message = check_http_authentication_header(handler,
+                        basic_auth_upload)
     if not valid:
         handler.log_message('Request rejected (%s)', message)
@@ -422,7 +426,7 @@ def serve_forever():
     )
 def main():
-    global args
+    global args, basic_auth, basic_auth_upload
     parser = argparse.ArgumentParser()
     parser.add_argument('port', type=int, default=8000, nargs='?',
@@ -463,4 +467,13 @@ def main():
                 'argument.'
             )
+    # Cache bytes() conversions of auth values, to prevent leaking information
+    # via timing (issue #53)
+    if args.basic_auth:
+        username, password = args.basic_auth.split(':', 1)
+        basic_auth = (bytes(username, 'utf8'), bytes(password, 'utf8'))
+    if args.basic_auth_upload:
+        username, password = args.basic_auth_upload.split(':', 1)
+        basic_auth_upload = (bytes(username, 'utf8'), bytes(password, 'utf8'))
     serve_forever()

{uploadserver-6.0.2 → uploadserver-6.0.3/uploadserver.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: uploadserver
-Version: 6.0.2
+Version: 6.0.3
 Summary: Python's http.server extended to include a file upload page
 Home-page: https://github.com/Densaugeo/uploadserver
 Author: Densaugeo
@@ -203,6 +203,11 @@ options:
 - File field in upload form renamed from `file_1` to `files`, to reflect support for multiple file upload. Scripts using cURL will need to be upadted with the new field name.
 - Successful uploads now respond with 204 No Content instead of 200 OK, so that cURL will not default to printing the upload page at the terminal.
+## Security Issues
+- Patched in `6.0.3`: Timing side channel. Introduced in `1.0.0`. Unpatched versions using the `--basic-auth`, `--basic-auth-upload`, or `--token` options are vulnerable to revealing password information through response timing.
+- Patched in `6.0.2`: DoS vulnerability. Introduced in `4.1.0`. Unpatched versions using the `--basic-auth` or `--basic-auth-upload` options generate stack traces in response to certain requests, which could be used to pollute logs or exhaust storage.
 ## Acknowledgements
 Much of `main()` was copied from Python's `http.server`.
@@ -217,4 +222,6 @@ Thanks to shuangye for finding an easy way to handle large file uploads, and imp
 Thanks to abbbe for adding HTTP basic auth (has now replaced the token option).
+Thanks to 0xLordMahesh for reporting the timing side channel and DoS vulnerabilities patched in 6.0.2 and 6.0.3.
 Thanks to SimarMugattarov, theo543, and poshul for minor updates.