Mailing List Archive: Python: Bugs

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests

Index | Next | Previous | View Threaded

report at bugs

Nov 1, 2009, 11:34 PM

Post #1 of 9 (117 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests

New submission from Brandon Bloom <snprbob86[at]gmail.com>:

This issue came up while doing Google App Engine development. Apparently
the default wsgi handler logic is to cache os.environ into os_environ at
import time. This is reasonable behavior for wsgi, but when using cgi,
this is a serious security hole which leaks information between requests.

See this related bug at GAE:
http://code.google.com/p/googleappengine/issues/detail?
id=2040&q=cookies%20dev_appserver.py&colspec=ID%20Type%20Status%20Priority
%20Stars%20Owner%20Summary%20Log%20Component

----------
components: Library (Lib)
messages: 94819
nosy: snprbob86
severity: normal
status: open
title: wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests
type: security
versions: Python 2.5

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 2, 2009, 3:20 PM

Post #2 of 9 (106 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Changes by Antoine Pitrou <pitrou[at]free.fr>:

----------
assignee: -> pje
nosy: +pje
priority: -> high
versions: +Python 2.6, Python 2.7, Python 3.1, Python 3.2 -Python 2.5

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 3, 2009, 11:05 AM

Post #3 of 9 (100 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Phillip J. Eby <pje[at]telecommunity.com> added the comment:

This is not an issue with CGI, but an issue with using an inappropriate
WSGI handler for a long-running process environment that only emulates CGI.

That is, in a true CGI environment, there can't be *multiple* requests
made to CGIHandler, and so it can't leak. In "normal" (i.e. pre-GAE)
long-running web environments, os.environ would not contain any request
information, only the process startup environment.

This limitation of CGIHandler should be better documented, but it's a
natural consequence of its design. The os_environ and base_environ
variables are provided so that subclasses with specialized needs can
handle them differently, and GAE is definitely a specialized need.

If someone wants to provide a GAEHandler class, great; otherwise, the
documented way to run a WSGI app under GAE is the
google.appengine.ext.webapp.util.run_wsgi_app function.

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 3, 2009, 12:58 PM

Post #4 of 9 (100 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Brandon Bloom <snprbob86[at]gmail.com> added the comment:

> That is, in a true CGI environment, there can't be *multiple* requests
> made to CGIHandler, and so it can't leak. In "normal" (i.e. pre-GAE)
> long-running web environments, os.environ would not contain any request
> information, only the process startup environment.

That's fair. In this case the CGIHandler should raise an exception on
subsequent requests to prevent this programming error.

> If someone wants to provide a GAEHandler class, great; otherwise, the
> documented way to run a WSGI app under GAE is the
> google.appengine.ext.webapp.util.run_wsgi_app function.

I'm not sure if run_wsgi_app was available right from the start, as
some early tutorials and samples show using CGIHandler. That's how we
ran into this issue.

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 3, 2009, 1:13 PM

Post #5 of 9 (100 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Phillip J. Eby <pje[at]telecommunity.com> added the comment:

Hm. In retrospect, CGIHandler should probably just set os_environ to an
empty dictionary in its class body (thereby not using the cached
environ), and this would then work correctly for repeated uses.

This would be a clean bugfix and wouldn't affect behavior for any
existing uses of CGIHandler that weren't already worse broken than the
GAE case. ;-)

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 3, 2009, 11:14 PM

Post #6 of 9 (97 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Brandon Bloom <snprbob86[at]gmail.com> added the comment:

> Hm. In retrospect, CGIHandler should probably just set os_environ to an
> empty dictionary in its class body (thereby not using the cached
> environ), and this would then work correctly for repeated uses.
>
> This would be a clean bugfix and wouldn't affect behavior for any
> existing uses of CGIHandler that weren't already worse broken than the
> GAE case. ;-)

Yup, rock on with that :-)

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 4, 2009, 8:43 AM

Post #7 of 9 (97 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Phillip J. Eby <pje[at]telecommunity.com> added the comment:

I've forwarded the suggested fix to the GAE team; it is to add this line:

os_environ = {} # Handle GAE and other multi-run CGI use cases

to the class body of CGIHandler. This should also be done in the Python
stdlib.

Btw, this fix can also be applied as a monkeypatch, by simply doing
'CGIHandler.os_environ = {}' before using CGIHandler.

----------
keywords: +26backport, easy, patch

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 5, 2009, 2:40 AM

Post #8 of 9 (97 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Brandon Bloom <snprbob86[at]gmail.com> added the comment:

> I've forwarded the suggested fix to the GAE team; it is to add this line:
>
> os_environ = {} # Handle GAE and other multi-run CGI use cases
>
> to the class body of CGIHandler. This should also be done in the Python
> stdlib.

I don't think that works. This still shares a common os_environ across
requests. You need to clear the dictionary after every request.

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

report at bugs

Nov 5, 2009, 7:39 AM

Post #9 of 9 (93 views)
Permalink

[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests [In reply to]

Phillip J. Eby <pje[at]telecommunity.com> added the comment:

The os_environ attribute is only used in one place; this line:

env = self.environ = self.os_environ.copy()

So, nothing is shared.

----------

_______________________________________
Python tracker <report[at]bugs.python.org>
<http://bugs.python.org/issue7250>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com