Page MenuHomePhabricator

pywikibot/core security vulnerablity in "requests"
Closed, ResolvedPublic

Description

From Github, pywikibot/core has a security vulnerability:

Remediation

Upgrade requests to version 2.20.0 or later. For example:

install_requires=[
    'requests>=2.20.0'
],

or…

extra_requires=[
    'requests>=2.20.0'
],

Always verify the validity and compatibility of suggestions with your codebase.

Details

https://nvd.nist.gov/vuln/detail/CVE-2018-18074
moderate severity
Vulnerable versions: <= 2.19.1
Patched version: 2.20.0

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Event Timeline

Xqt triaged this task as Medium priority.Oct 30 2018, 4:13 PM

No idea why the bot didn’t tag the patch https://gerrit.wikimedia.org/r/#/c/pywikibot/core/+/470841/

This is a security task, so the bot can't access it. But since your patch is public, we can make this ticket public as well.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 1 2018, 3:53 AM

Change 470841 merged by jenkins-bot:
[pywikibot/core@master] [Security] use requests version 2.20.0 or later

https://gerrit.wikimedia.org/r/470841

Xqt lowered the priority of this task from Medium to Low.Nov 1 2018, 4:22 AM

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

Hm, a lot of tests are failing due to RequestsDependencyWarning for cryptography library needed for older python releases. But this will be a separate task.

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

IMO anyone who wants security updates should install the latest version of pywikibot which will install a new version of requests as a requirement. We should not encourage people to continue cloning the repository and pulling from the master branch.

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

IMO anyone who wants security updates should install the latest version of pywikibot which will install a new version of requests as a requirement. We should not encourage people to continue cloning the repository and pulling from the master branch.

Good point

No idea why the bot didn’t tag the patch https://gerrit.wikimedia.org/r/#/c/pywikibot/core/+/470841/

The alert came from github which solely look at the master branch. Your patch was pending merge so Github could not notice it. Anyway the master branch is now fixed.

Seems like version 3.0.20190106 published at https://pypi.org/project/pywikibot/ contains the fix. So we are all set.

Thank you!