Programming Forums - Networking

Programming Forums (http://www.programmingforums.org/forumindex.php)

- Python (http://www.programmingforums.org/forum43.html)

- - Networking - Safety Concern (http://www.programmingforums.org/showthread.php?t=12839)

Networking - Safety Concern

If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about?

My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content?

If I manually check the address with something like:

        if url[:7].lower() == 'http://':

            url = url[7:]



        if url[:9] == '127.0.0.1' or url[:5].lower() == 'local':

            return self.response['values']

Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else?

Can downloading textual content lead to any client-side side-effects?

Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?

Valid local networks IPs are defined in RFC 1918:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)

     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)

     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

The most foolproof way of checking for local IPs is to use the various bitmasks. As I'm sure you know, IPv4 addresses are merely 32 bit integers, and it's fairly easy to write a function to convert them:

import socket, struct
 
def ip2int(ip):
     return struct.unpack("I", socket.inet_aton(ip))[0]

This will only check for IPv4 addresses, mind. Still, I'm not sure IPv6 actually has local ranges - the address space is so large compared to IPv4 they might not be needed. Anyway, to check for local IPs in v4:

def inmask(ip, mask):
    ip = ip2int(ip)
    return ip & ip2int(mask) == ip
 
def islocal(ip):
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")

You'd probably also want to combine this with socket.gethostbyname, which converts a hostname (such as "localhost") into an IP address. So maybe we should redefine islocal to:

def islocal(ip):
    ip = socket.gethostbyname(ip)
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")

Quote:

Originally Posted by Sane (Post 125401)

Can downloading textual content lead to any client-side side-effects?

You need to be careful about paths. Use os.path.join and os.path.basename etc. to make sure that the user doesn't enter in something like "../../somecoresystemfile".

Quote:

Originally Posted by Sane (Post 125401)

Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?

Probably not.

Wow thanks! That's some great useful information there! It's funny because I was playing with the socket.gethostbyname, but for all the wrong reasons.

Quote:

Originally Posted by Arevos (Post 125406)

You need to be careful about paths. Use os.path.join and os.path.basename etc. to make sure that the user doesn't enter in something like "../../somecoresystemfile".

Hmm? That's not what I meant by "downloading textual content". I meant, when the client makes a request, I download textual content from where they want (essentially a proxy).

Is it possible that they could use that to make me download a virus or potentially harmful data?

Quote:

Originally Posted by Sane (Post 125407)

Sure they can, but they can't make you execute the data. Just make sure the extension is ".txt" or something, for OSes that still use file extensions as a way to determine whether the file is executable or not.