Message306981
Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded.
urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/")
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'Host: 127.0.0.1\r\n',
b' SLAVEOF . . . :6379\r\n',
b'Connection: close\r\n',
b'User-Agent: Python-urllib/2.7\r\n',
b'\r\n'] |
|
Date |
User |
Action |
Args |
2017-11-26 01:04:36 | martin.panter | set | recipients:
+ martin.panter, serhiy.storchaka, xiang.zhang, orange |
2017-11-26 01:04:36 | martin.panter | set | messageid: <1511658276.61.0.213398074469.issue30458@psf.upfronthosting.co.za> |
2017-11-26 01:04:36 | martin.panter | link | issue30458 messages |
2017-11-26 01:04:35 | martin.panter | create | |
|