This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients martin.panter, orange, serhiy.storchaka, xiang.zhang
Date 2017-11-26.01:04:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded.

urlopen(" . . . :6379/")

>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
 b'Accept-Encoding: identity\r\n',
 b' SLAVEOF . . . :6379\r\n',
 b'Connection: close\r\n',
 b'User-Agent: Python-urllib/2.7\r\n',
Date User Action Args
2017-11-26 01:04:36martin.pantersetrecipients: + martin.panter, serhiy.storchaka, xiang.zhang, orange
2017-11-26 01:04:36martin.pantersetmessageid: <>
2017-11-26 01:04:36martin.panterlinkissue30458 messages
2017-11-26 01:04:35martin.pantercreate