From c2d4a1083bcce46fc239bc03a75b87d04b9bf47e Mon Sep 17 00:00:00 2001 From: Marek Czernek Date: Mon, 27 Apr 2026 09:07:49 +0200 Subject: [PATCH] (BDSA-2025-60810) Harden against invalid HTTP reason phrases (#757) We allow applications to set custom reason phrases for the HTTP status line (to support custom status codes), but if this were exposed to untrusted data it could be exploited in various ways. This commit guards against invalid reason phrases in both HTTP headers and in error pages. --- salt/ext/tornado/web.py | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/salt/ext/tornado/web.py b/salt/ext/tornado/web.py index bb76abef359..ce381ea9113 100644 --- a/salt/ext/tornado/web.py +++ b/salt/ext/tornado/web.py @@ -313,11 +313,21 @@ class RequestHandler(object): :arg int status_code: Response status code. If ``reason`` is ``None``, it must be present in `httplib.responses `. :arg string reason: Human-readable reason phrase describing the status - code. If ``None``, it will be filled in from - `httplib.responses `. + code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). + Normally determined automatically from `http.client.responses`; this + argument should only be used if you need to use a non-standard + status code. """ self._status_code = status_code if reason is not None: + if "<" in reason or not RequestHandler._REASON_PHRASE_RE.fullmatch(reason): + # Logically this would be better as an exception, but this method + # is called on error-handling paths that would need some refactoring + # to tolerate internal errors cleanly. + # + # The check for "<" is a defense-in-depth against XSS attacks (we also + # escape the reason when rendering error pages). + reason = "Unknown" self._reason = escape.native_str(reason) else: try: @@ -358,6 +368,7 @@ class RequestHandler(object): del self._headers[name] _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x1f]") + _REASON_PHRASE_RE = re.compile(r"(?:[\t ]|[\x21-\x7E]|[\x80-\xFF])+") def _convert_header_value(self, value): # type: (_HeaderTypes) -> str @@ -1058,7 +1069,8 @@ class RequestHandler(object): reason = exception.reason self.set_status(status_code, reason=reason) try: - self.write_error(status_code, **kwargs) + if status_code != 304: + self.write_error(status_code, **kwargs) except Exception: app_log.error("Uncaught exception in write_error", exc_info=True) if not self._finished: @@ -1086,7 +1098,7 @@ class RequestHandler(object): self.finish("%(code)d: %(message)s" "%(code)d: %(message)s" % { "code": status_code, - "message": self._reason, + "message": escape.xhtml_escape(self._reason), }) @property @@ -2185,9 +2197,11 @@ class HTTPError(Exception): mode). May contain ``%s``-style placeholders, which will be filled in with remaining positional parameters. :arg string reason: Keyword-only argument. The HTTP "reason" phrase - to pass in the status line along with ``status_code``. Normally + to pass in the status line along with ``status_code`` (for example, + the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally determined automatically from ``status_code``, but can be used - to use a non-standard numeric code. + to use a non-standard numeric code. This is not a general-purpose + error message. """ def __init__(self, status_code=500, log_message=None, *args, **kwargs): self.status_code = status_code -- 2.53.0