Author karlcow
Recipients karlcow, orsenthil
Date 2013-02-28.21:27:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
For HTTP header field names parsing, see

   No whitespace is allowed between the header field-name and colon. In
   the past, differences in the handling of such whitespace have led to
   security vulnerabilities in request routing and response handling.  A
   server MUST reject any received request message that contains
   whitespace between a header field-name and colon with a response code
   of 400 (Bad Request). A proxy MUST remove any such whitespace from a
   response message before forwarding the message downstream.

In python3.3 currently
>>> import urllib.request
>>> req = urllib.request.Request('')
>>> req.add_header('FoO ', 'Yeah')
>>> req.header_items()
[('Foo ', 'Yeah'), ('User-agent', 'Python-urllib/3.3'), ('Host', '')]

The space has not been removed. So we should fix that at least. This is a bug. I'm not familiar with the specific security issues mentioned in the spec.  

Note that many things can be done too: :/

>>> req.add_header('FoO \n blah', 'Yeah')
>>> req.add_header('Foo:Bar\nFoo2', 'Yeah')
>>> req.header_items()
[('Foo:bar\nfoo2', 'Yeah'), ('Foo \n blah', 'Yeah'), ('Foo ', 'Yeah'), ('User-agent', 'Python-urllib/3.3'), ('Host', '')]

I will check for making a patch tomorrow.
Date User Action Args
2013-02-28 21:27:14karlcowsetrecipients: + karlcow, orsenthil
2013-02-28 21:27:14karlcowsetmessageid: <>
2013-02-28 21:27:14karlcowlinkissue17322 messages
2013-02-28 21:27:13karlcowcreate