This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author demian.brecht
Recipients Guido, demian.brecht, martin.panter, orsenthil, r.david.murray
Date 2015-02-14.01:07:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1423876028.97.0.715206350455.issue22928@psf.upfronthosting.co.za>
In-reply-to
Content 
Here's a patch addressing the potential vulnerability as reported. The patch should also bring the implementation up to date with the most recent standards around header names and values.

> There could be potential for breaking compatibility if people are intentionally sending values with folded lines (obsoleted by the new HTTP RFC).

I think I'm okay with this given line folding seems to have been implemented by passing multiple value parameters (folding was automatically taken care of by the library).

I don't think that this should be merged into anything pre 3.5 as safeguarding /should/ be accounted for by the developer, so I don't think I'd regard this as a high risk security issue. I'm definitely open to debate on that though.
History
Date User Action Args
2015-02-14 01:07:09demian.brechtsetrecipients: + demian.brecht, orsenthil, r.david.murray, martin.panter, Guido
2015-02-14 01:07:08demian.brechtsetmessageid: <1423876028.97.0.715206350455.issue22928@psf.upfronthosting.co.za>
2015-02-14 01:07:08demian.brechtlinkissue22928 messages
2015-02-14 01:07:08demian.brechtcreate