Impact
- Attacker providing malicious redirect uri can cause DoS to oauthlib's web application.
- Attacker can also leverage usage of
uri_validate
functions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate
function.
Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.2 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri
can be verified in web toolkit (i.e bottle-oauthlib
, django-oauth-toolkit
, ...) before oauthlib is called. A sample check if :
is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
References
Attack Vector:
PoC
is_absolute_uri("http://[:::::::::::::::::::::::::::::::::::::::]/path")
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
References
Impact
uri_validate
functions depending where it is used.What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly
uri_validate
function.Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.2 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The
redirect_uri
can be verified in web toolkit (i.ebottle-oauthlib
,django-oauth-toolkit
, ...) before oauthlib is called. A sample check if:
is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.References
Attack Vector:
https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
uri_validate
functions:https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
PoC
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
References