This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author r.david.murray
Recipients crickert, r.david.murray
Date 2015-11-06.21:08:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1446844126.19.0.0844330714913.issue25570@psf.upfronthosting.co.za>
In-reply-to
Content
This behavior change was part of a security fix, and will appear in the next version of 3.4 as well.  See issue 22928.  Header names may not contain colons, the colon separator is added when the header is rendered.  Detecting and rejecting them guards against header injection attacks.

However, that fix was done in httplib.  I think it would also be worthwhile to fix add_header so that it rejects invalid header components when called, instead of only having the check done later in httplib, at a point distant from where the problem occurred.
History
Date User Action Args
2015-11-06 21:08:46r.david.murraysetrecipients: + r.david.murray, crickert
2015-11-06 21:08:46r.david.murraysetmessageid: <1446844126.19.0.0844330714913.issue25570@psf.upfronthosting.co.za>
2015-11-06 21:08:46r.david.murraylinkissue25570 messages
2015-11-06 21:08:46r.david.murraycreate