Impact
- Attacker providing malicious redirect uri can cause DoS to oauthlib's web application.
- Attacker can also leverage usage of
uri_validate functions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate function.
Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.1 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri can be verified in web toolkit (i.e bottle-oauthlib, django-oauth-toolkit, ...) before oauthlib is called. A sample check if : is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
References
Attack Vector:
PoC
is_absolute_uri("http://[:::::::::::::::::::::::::::::::::::::::]/path")Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
Impact
uri_validatefunctions depending where it is used.What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly
uri_validatefunction.Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.1 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The
redirect_urican be verified in web toolkit (i.ebottle-oauthlib,django-oauth-toolkit, ...) before oauthlib is called. A sample check if:is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.References
Attack Vector:
oauthlib/oauthlib/oauth2/rfc6749/grant_types/base.py
Line 232 in d4bafd9
uri_validatefunctions:https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
PoC
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io