Message 306981 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	martin.panter
Recipients	martin.panter, orange, serhiy.storchaka, xiang.zhang
Date	2017-11-26.01:04:35
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1511658276.61.0.213398074469.issue30458@psf.upfronthosting.co.za>
In-reply-to

Content
Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded. urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/") >>> pprint(conn.recv(300).splitlines(keepends=True)) [b'GET / HTTP/1.1\r\n', b'Accept-Encoding: identity\r\n', b'Host: 127.0.0.1\r\n', b' SLAVEOF . . . :6379\r\n', b'Connection: close\r\n', b'User-Agent: Python-urllib/2.7\r\n', b'\r\n']

Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded.

urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/")

>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
 b'Accept-Encoding: identity\r\n',
 b'Host: 127.0.0.1\r\n',
 b' SLAVEOF . . . :6379\r\n',
 b'Connection: close\r\n',
 b'User-Agent: Python-urllib/2.7\r\n',
 b'\r\n']

History
Date	User	Action	Args
2017-11-26 01:04:36	martin.panter	set	recipients: + martin.panter, serhiy.storchaka, xiang.zhang, orange
2017-11-26 01:04:36	martin.panter	set	messageid: <1511658276.61.0.213398074469.issue30458@psf.upfronthosting.co.za>
2017-11-26 01:04:36	martin.panter	link	issue30458 messages
2017-11-26 01:04:35	martin.panter	create