Author martin.panter
Recipients martin.panter, orange, vstinner
Date 2017-11-26.01:00:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The square □ in the strings represents a space.

Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "\r\nHELO . . .". This becomes like the header injection I mentioned in Issue 30458.

Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of Issue 22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379".
Date User Action Args
2017-11-26 01:00:28martin.pantersetrecipients: + martin.panter, vstinner, orange
2017-11-26 01:00:28martin.pantersetmessageid: <>
2017-11-26 01:00:28martin.panterlinkissue32085 messages
2017-11-26 01:00:28martin.pantercreate