Author martin.panter
Recipients martin.panter, orange, serhiy.storchaka, xiang.zhang
Date 2017-11-26.01:04:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1511658276.61.0.213398074469.issue30458@psf.upfronthosting.co.za>
In-reply-to
Content
Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded.

urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/")

>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
 b'Accept-Encoding: identity\r\n',
 b'Host: 127.0.0.1\r\n',
 b' SLAVEOF . . . :6379\r\n',
 b'Connection: close\r\n',
 b'User-Agent: Python-urllib/2.7\r\n',
 b'\r\n']
History
Date User Action Args
2017-11-26 01:04:36martin.pantersetrecipients: + martin.panter, serhiy.storchaka, xiang.zhang, orange
2017-11-26 01:04:36martin.pantersetmessageid: <1511658276.61.0.213398074469.issue30458@psf.upfronthosting.co.za>
2017-11-26 01:04:36martin.panterlinkissue30458 messages
2017-11-26 01:04:35martin.pantercreate