URI parsing vulnerability in AsyncHttpClient

108 views

Skip to first unread message

Greg Methvin

unread,

Sep 20, 2017, 6:48:51 PM9/20/17

to play-framew...@googlegroups.com

Description

A low-severity vulnerability has been found in the URI parsing of AsyncHttpClient, which is used by the Play WS client and by the play-ws-standalone library.

This library causes the WS API to improperly parse the URI’s authority component if it is followed by #. For example, passing http://example.com#@evil.com/foo.txt will actually make a request to evil.com.

The AsyncHttpClient issue is also described in AsyncHttpClient issue 1455

Impact

If users are allowed to pass arbitrary URI strings, this vulnerability could be used to circumvent whitelists or blacklists of host names. An RFC-compliant parser would correctly parse http://example.com#@evil.com/foo.txt. Note that this issue does not affect URIs like http://example.com/#@evil.com/foo.txt, with the slash at the beginning of the path.

Affected Versions

Play 2.6.0-2.6.3
play-ws-standalone 1.0.0-1.0.6
Play 2.5.0-2.5.16
All previous 2.x versions

Workarounds

Parse the URI using a compliant parser like java.net.URI. If the path is empty, replace the empty path with a single slash.

Fixes

Upgrade to Play 2.6.5 or play-ws-standalone 1.0.7. If using Play 2.5.x, upgrade to async-http-client 2.0.35. The issue has not been fixed in the AsyncHttpClient versions used by Play 2.4.x and earlier.

Acknowledgements

Credit for finding this vulnerability in AsyncHttpClient goes to Nicolas Grégoire from Agarri.

Reply all

Reply to author

Forward

0 new messages