Message339857
bpo-36276 has been marked as a duplicate of this issue.
According to the following message, urllib3 is also vulnerable to HTTP Header Injection:
https://bugs.python.org/issue36276#msg337837
Copy of Alvin Chang's msg337837:
"""
I am also seeing the same issue with urllib3
import urllib3
pool_manager = urllib3.PoolManager()
host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a"
try:
info = pool_manager.request('GET', url).info()
print(info)
except Exception:
pass
nc -l localhost 7777
GET /?a=1 HTTP/1.1
X-injected: header
TEST: 123:8080/test/?test=a HTTP/1.1
Host: localhost:7777
Accept-Encoding: identity
""" |
|
Date |
User |
Action |
Args |
2019-04-10 12:32:58 | vstinner | set | recipients:
+ vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware |
2019-04-10 12:32:58 | vstinner | set | messageid: <1554899578.74.0.184544272671.issue30458@roundup.psfhosted.org> |
2019-04-10 12:32:58 | vstinner | link | issue30458 messages |
2019-04-10 12:32:58 | vstinner | create | |
|