Programming Forums > Script Programming > Python

Sane · Mar 17th, 2007, 12:40 PM

If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about?

My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content?

If I manually check the address with something like:

(Toggle Plain Text)

        if url[:7].lower() == 'http://':
            url = url[7:]

        if url[:9] == '127.0.0.1' or url[:5].lower() == 'local':
            return self.response['values']

Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else?

Can downloading textual content lead to any client-side side-effects?

Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?

Arevos · Mar 17th, 2007, 3:10 PM

Valid local networks IPs are defined in RFC 1918:

(Toggle Plain Text)

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

The most foolproof way of checking for local IPs is to use the various bitmasks. As I'm sure you know, IPv4 addresses are merely 32 bit integers, and it's fairly easy to write a function to convert them:

 python Syntax (Toggle Plain Text) 
import socket, struct
 
def ip2int(ip):
     return struct.unpack("I", socket.inet_aton(ip))[0]
import socket, struct

def ip2int(ip):
     return struct.unpack("I", socket.inet_aton(ip))[0]

This will only check for IPv4 addresses, mind. Still, I'm not sure IPv6 actually has local ranges - the address space is so large compared to IPv4 they might not be needed. Anyway, to check for local IPs in v4:

 python Syntax (Toggle Plain Text) 
def inmask(ip, mask):
    ip = ip2int(ip)
    return ip & ip2int(mask) == ip
 
def islocal(ip):
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")
def inmask(ip, mask):
    ip = ip2int(ip)
    return ip & ip2int(mask) == ip

def islocal(ip):
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")

You'd probably also want to combine this with socket.gethostbyname, which converts a hostname (such as "localhost") into an IP address. So maybe we should redefine islocal to:

 python Syntax (Toggle Plain Text) 
def islocal(ip):
    ip = socket.gethostbyname(ip)
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")
def islocal(ip):
    ip = socket.gethostbyname(ip)
    return inmask(ip, "10.255.255.255") or 
           inmask(ip, "172.31.255.255") or
           inmask(ip, "192.168.255.255")

Arevos · Mar 17th, 2007, 3:20 PM

Quote:

Originally Posted by Sane

Can downloading textual content lead to any client-side side-effects?

You need to be careful about paths. Use os.path.join and os.path.basename etc. to make sure that the user doesn't enter in something like "../../somecoresystemfile".

Quote:

Originally Posted by Sane

Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?

Probably not.

Sane · Mar 17th, 2007, 3:36 PM

Wow thanks! That's some great useful information there! It's funny because I was playing with the socket.gethostbyname, but for all the wrong reasons.

Quote:

Originally Posted by Arevos

You need to be careful about paths. Use os.path.join and os.path.basename etc. to make sure that the user doesn't enter in something like "../../somecoresystemfile".

Hmm? That's not what I meant by "downloading textual content". I meant, when the client makes a request, I download textual content from where they want (essentially a proxy).

Is it possible that they could use that to make me download a virus or potentially harmful data?

Arevos · Mar 17th, 2007, 4:03 PM

Quote:

Originally Posted by Sane

Hmm? That's not what I meant by "downloading textual content". I meant, when the client makes a request, I download textual content from where they want (essentially a proxy).

Is it possible that they could use that to make me download a virus or potentially harmful data?

Sure they can, but they can't make you execute the data. Just make sure the extension is ".txt" or something, for OSes that still use file extensions as a way to determine whether the file is executable or not.

Mar 17th, 2007, 12:40 PM	#1
Sane Programming Guru Join Date: Apr 2005 Posts: 1,799 Rep Power: 5	Networking - Safety Concern If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about? My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content? If I manually check the address with something like: (Toggle Plain Text) if url[:7].lower() == 'http://': url = url[7:] if url[:9] == '127.0.0.1' or url[:5].lower() == 'local': return self.response['values'] if url[:7].lower() == 'http://': url = url[7:] if url[:9] == '127.0.0.1' or url[:5].lower() == 'local': return self.response['values'] Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else? Can downloading textual content lead to any client-side side-effects? Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input? __________________ Waterloo's Canadian Computing Competition (CCC) - Stage 2 Problems, Solutions, and Test Data

Mar 17th, 2007, 3:10 PM	#2
Arevos Programming Guru Join Date: Aug 2005 Location: England Posts: 1,499 Rep Power: 4	Valid local networks IPs are defined in RFC 1918: (Toggle Plain Text) 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) The most foolproof way of checking for local IPs is to use the various bitmasks. As I'm sure you know, IPv4 addresses are merely 32 bit integers, and it's fairly easy to write a function to convert them: python Syntax (Toggle Plain Text) import socket, struct def ip2int(ip): return struct.unpack("I", socket.inet_aton(ip))[0] import socket, struct def ip2int(ip): return struct.unpack("I", socket.inet_aton(ip))[0] This will only check for IPv4 addresses, mind. Still, I'm not sure IPv6 actually has local ranges - the address space is so large compared to IPv4 they might not be needed. Anyway, to check for local IPs in v4: python Syntax (Toggle Plain Text) def inmask(ip, mask): ip = ip2int(ip) return ip & ip2int(mask) == ip def islocal(ip): return inmask(ip, "10.255.255.255") or inmask(ip, "172.31.255.255") or inmask(ip, "192.168.255.255") def inmask(ip, mask): ip = ip2int(ip) return ip & ip2int(mask) == ip def islocal(ip): return inmask(ip, "10.255.255.255") or inmask(ip, "172.31.255.255") or inmask(ip, "192.168.255.255") You'd probably also want to combine this with socket.gethostbyname, which converts a hostname (such as "localhost") into an IP address. So maybe we should redefine islocal to: python Syntax (Toggle Plain Text) def islocal(ip): ip = socket.gethostbyname(ip) return inmask(ip, "10.255.255.255") or inmask(ip, "172.31.255.255") or inmask(ip, "192.168.255.255") def islocal(ip): ip = socket.gethostbyname(ip) return inmask(ip, "10.255.255.255") or inmask(ip, "172.31.255.255") or inmask(ip, "192.168.255.255")

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
To Networking GODs and GURUs, Is this possible?	thrasherx	Project Ideas	4	Oct 31st, 2006 10:00 PM
C++ Networking Question	MorphysGhost	C++	5	Apr 22nd, 2006 11:21 AM
java networking tutorials	Brent	Java	2	Aug 31st, 2005 9:29 AM
Networking in vb.net	BrianN	Visual Basic	2	Aug 15th, 2005 5:57 PM
networking in VB	Brent	Visual Basic	1	Aug 4th, 2005 10:17 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Script Programming > Python

Networking - Safety Concern