Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Bypass proxy authentication with HTTP/1.0 requests #1267

Closed
larsks opened this issue Sep 4, 2022 · 6 comments
Closed

Security: Bypass proxy authentication with HTTP/1.0 requests #1267

larsks opened this issue Sep 4, 2022 · 6 comments
Assignees
@abhinavsingh
Labels
Bug Bug report in proxy server

Comments

@larsks
Copy link

larsks commented Sep 4, 2022

Describe the bug

It is possible to bypass proxy authentication by sending an HTTP/1.0 request with no request headers.

To Reproduce
Steps to reproduce the behavior:

  1. Run proxy.py as proxy --basic-auth user:secret
  2. Run the following Python code: 
    import requests

proxies = {
  "http": "http://127.0.0.1:8899",
  "https": "http://127.0.0.1:8899"
}

response = requests.get("https://www.example.com", proxies=proxies)

print(response.status_code)
  3. See that the proxy accepts the request and returns the remote
    content.

You can reproduce this yourself like this:

$ telnet localhost 8899
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
CONNECT www.example.com:80 HTTP/1.0

HTTP/1.1 200 Connection established

Expected behavior

proxy.py should return a 407 Proxy Authentication Required result.

Version information

  • OS: Fedora 36
  • Browser: curl, Python requests
  • Device: An x86_64 desktop
  • proxy.py Version: 2.4.3

This problem also reproduces with the current develop branch (5e02436).
@larsks larsks added the Bug Bug report in proxy server label Sep 4, 2022
@abhinavsingh
Copy link
Owner

@larsks Unsure if this has started happening after any recent commit or has this been always the case. Nevertheless, thanks for reporting this. Really appreciate it. I'll get this out fixed soon. Best.

@dongfangtianyu
Copy link
Contributor

dongfangtianyu commented Aug 4, 2023
edited

I encountered the same problem and easily reproduced it.

Tracking https://github.com/abhinavsingh/proxy.py/blob/develop/proxy/http/proxy/auth.py#L30 The variables here,

The value of request.headers was found to be None, so the entire validation logic was skipped

if self.flags.auth_code and request.headers:

I'm not sure why the Boolean value of request.headers is determined here.

My guess is to avoid causing errors in the next line of code not in request. headers .

A simple repair solution is to determine whether to perform authentication checks if the headers are not involved.

Example: https://github.com/dongfangtianyu/proxy.py/blob/develop/proxy/http/proxy/auth.py#L30

@abhinavsingh
Copy link
Owner

Thank you @dongfangtianyu for bringing my attention back to this. Do you want to send a PR for the same? Will be happy to review/merge. Best

@dongfangtianyu
Copy link
Contributor

Thank you @dongfangtianyu for bringing my attention back to this. Do you want to send a PR for the same? Will be happy to review/merge. Best

Sure, I'm happy to do it.
I'm currently getting familiar with the contribution guidelines and test cases, and I will try to submit the PR later.

dongfangtianyu added a commit to dongfangtianyu/proxy.py that referenced this issue Aug 12, 2023
@dongfangtianyu
test: Add test case to reproduce bug abhinavsingh#1267
e86a2be
dongfangtianyu added a commit to dongfangtianyu/proxy.py that referenced this issue Aug 12, 2023
@dongfangtianyu
fix: Bypass proxy authentication with HTTP/1.0 requests abhinavsingh#…
42a7105 
…1267
abhinavsingh added a commit that referenced this issue Apr 12, 2024
@dongfangtianyu @pre-commit-ci @abhinavsingh
FIX proxy authentication bypass with HTTP/1.0 requests #1267 (#1342)
81510a0 
* test: Add test case to reproduce bug #1267

* fix: Bypass proxy authentication with HTTP/1.0 requests #1267

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Abhinav Singh <126065+abhinavsingh@users.noreply.github.com>
@abhinavsingh
Copy link
Owner

Thank you folks, closing this now

@abhinavsingh
Copy link
Owner

I'll cut a 2.4.4 soon, so that 2.4.3 is no longer the default install which contains this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abhinavsingh abhinavsingh

Labels
Bug Bug report in proxy server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@larsks @abhinavsingh @dongfangtianyu