This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author orsenthil
Recipients alvinchang, brett.cannon, martin.panter, orsenthil, ragdoll.guo, vstinner, xtreak
Date 2019-03-20.06:14:57
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I am going to make a note that the Superseder

1) - is listed only as pending request for 2.7 with the intention to raise an Exception.

However, this bug demonstrates a vulnerability in all versions of Python (including 3.8 as of March 2019).

There are additional related bug reports that deal with the same topic of parsing CRLF in headers / or in requests.


A consolidation of all of these is required, and at the end, our goal should be the close the loophole reported by this bug.

I am assigning this bug to myself to work on it, and my first task is make sure that the previous reports 1, 2 and 3 cover the scenario mentioned in this report. If they do not, I will reopen this ticket.

Date User Action Args
2019-03-20 06:14:57orsenthilsetrecipients: + orsenthil, brett.cannon, vstinner, martin.panter, xtreak, ragdoll.guo, alvinchang
2019-03-20 06:14:57orsenthilsetmessageid: <>
2019-03-20 06:14:57orsenthillinkissue36276 messages
2019-03-20 06:14:57orsenthilcreate