Message306980
The square □ in the strings represents a space.
Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "http://127.0.0.1:25/\r\nHELO . . .". This becomes like the header injection I mentioned in Issue 30458.
Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of Issue 22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379". |
|
Date |
User |
Action |
Args |
2017-11-26 01:00:28 | martin.panter | set | recipients:
+ martin.panter, vstinner, orange |
2017-11-26 01:00:28 | martin.panter | set | messageid: <1511658028.71.0.213398074469.issue32085@psf.upfronthosting.co.za> |
2017-11-26 01:00:28 | martin.panter | link | issue32085 messages |
2017-11-26 01:00:28 | martin.panter | create | |
|