Message295067
You can also inject proper HTTP header fields (or do multiple requests) if you omit the space after the CRLF:
urlopen("http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:")
Data sent to the server:
>>> server = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
>>> server.bind(("localhost", 8000))
>>> server.listen()
>>> [conn, addr] = server.accept()
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'HEADER: INJECTED\r\n',
b'Ignore: HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'User-Agent: Python-urllib/3.5\r\n',
b'Connection: close\r\n',
b'Host: localhost:8000\r\n',
b'\r\n']
Issue 14826 is already open about how “urlopen” handles spaces, and there is a patch in Issue 13359 that proposes to also encode newline characters. But if the CRLF or header injection is a security problem, then 2.7 etc could be changed to raise an exception (like Issue 22928), or to do percent encoding. |
|
Date |
User |
Action |
Args |
2017-06-03 07:01:33 | martin.panter | set | recipients:
+ martin.panter, serhiy.storchaka, xiang.zhang, orange |
2017-06-03 07:01:33 | martin.panter | set | messageid: <1496473293.92.0.424276419664.issue30458@psf.upfronthosting.co.za> |
2017-06-03 07:01:33 | martin.panter | link | issue30458 messages |
2017-06-03 07:01:33 | martin.panter | create | |
|