Page MenuHomePhabricator
Create Task
Maniphest T208296

pywikibot/core security vulnerablity in "requests"
Closed, ResolvedPublic
Actions

Description

From Github, pywikibot/core has a security vulnerability:

Remediation

Upgrade requests to version 2.20.0 or later. For example:

install_requires=[
    'requests>=2.20.0'
],

or…

extra_requires=[
    'requests>=2.20.0'
],

Always verify the validity and compatibility of suggestions with your codebase.

Details

https://nvd.nist.gov/vuln/detail/CVE-2018-18074
moderate severity
Vulnerable versions: <= 2.19.1
Patched version: 2.20.0

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Details

SubjectRepoBranchLines +/-
[Security] use requests version 2.20.0 or laterpywikibot/coremaster+4 -4
Customize query in gerrit

Event Timeline

hashar created this task.Oct 30 2018, 9:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 30 2018, 9:31 AM
hashar added a project: Pywikibot.Oct 30 2018, 9:33 AM
hashar added subscribers: Xqt, jayvdb, XZise and 2 others.
Xqt triaged this task as Medium priority.Oct 30 2018, 4:13 PM
Xqt claimed this task.Oct 31 2018, 2:15 PM
Xqt added a comment.Nov 1 2018, 3:43 AM

No idea why the bot didn’t tag the patch https://gerrit.wikimedia.org/r/#/c/pywikibot/core/+/470841/

Xqt added a project: Patch-For-Review.Nov 1 2018, 3:44 AM
Legoktm subscribed.Nov 1 2018, 3:52 AM
In T208296#4711603, @Xqt wrote:

No idea why the bot didn’t tag the patch https://gerrit.wikimedia.org/r/#/c/pywikibot/core/+/470841/

This is a security task, so the bot can't access it. But since your patch is public, we can make this ticket public as well.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 1 2018, 3:53 AM
gerritbot subscribed.Nov 1 2018, 3:55 AM

Change 470841 merged by jenkins-bot:
[pywikibot/core@master] [Security] use requests version 2.20.0 or later

https://gerrit.wikimedia.org/r/470841

Xqt lowered the priority of this task from Medium to Low.Nov 1 2018, 4:22 AM

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

Xqt added a comment.Nov 1 2018, 5:05 AM

Hm, a lot of tests are failing due to RequestsDependencyWarning for cryptography library needed for older python releases. But this will be a separate task.

Framawiki subscribed.Nov 1 2018, 7:03 PM
xSavitar moved this task from Backlog to Needs Review on the Pywikibot board.Nov 5 2018, 11:26 AM
Dalba added a comment.EditedFeb 5 2019, 12:17 PM
In T208296#4711662, @Xqt wrote:

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

IMO anyone who wants security updates should install the latest version of pywikibot which will install a new version of requests as a requirement. We should not encourage people to continue cloning the repository and pulling from the master branch.

Dvorapa subscribed.Feb 5 2019, 1:01 PM
In T208296#4927137, @Dalba wrote:
In T208296#4711662, @Xqt wrote:

Should we also inform bot owners to update the library? I guess forcing it is counterproductive.

IMO anyone who wants security updates should install the latest version of pywikibot which will install a new version of requests as a requirement. We should not encourage people to continue cloning the repository and pulling from the master branch.

Good point

hashar closed this task as Resolved.Feb 5 2019, 1:06 PM
In T208296#4711603, @Xqt wrote:

No idea why the bot didn’t tag the patch https://gerrit.wikimedia.org/r/#/c/pywikibot/core/+/470841/

The alert came from github which solely look at the master branch. Your patch was pending merge so Github could not notice it. Anyway the master branch is now fixed.

Seems like version 3.0.20190106 published at https://pypi.org/project/pywikibot/ contains the fix. So we are all set.

Thank you!

chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL