Message 339858 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date	2019-04-10.12:35:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1554899701.99.0.904215209359.issue30458@roundup.psfhosted.org>
In-reply-to

Content
> According to the following message, urllib3 is also vulnerable to HTTP Header Injection: (...) And the issue has been reported to urllib3: https://github.com/urllib3/urllib3/issues/1553 Copy of the first message: """ At https://bugs.python.org/issue36276 there's an issue in Python's urllib that an attacker controlling the request parameter can inject headers by injecting CR/LF chars. A commenter mentions that the same bug is present in urllib3: https://bugs.python.org/issue36276#msg337837 So reporting it here to make sure it gets attention. """

> According to the following message, urllib3 is also vulnerable to HTTP Header Injection: (...)

And the issue has been reported to urllib3:
https://github.com/urllib3/urllib3/issues/1553

Copy of the first message:

"""
At https://bugs.python.org/issue36276 there's an issue in Python's urllib that an attacker controlling the request parameter can inject headers by injecting CR/LF chars.

A commenter mentions that the same bug is present in urllib3:
https://bugs.python.org/issue36276#msg337837

So reporting it here to make sure it gets attention.
"""

History
Date	User	Action	Args
2019-04-10 12:35:02	vstinner	set	recipients: + vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-04-10 12:35:01	vstinner	set	messageid: <1554899701.99.0.904215209359.issue30458@roundup.psfhosted.org>
2019-04-10 12:35:01	vstinner	link	issue30458 messages
2019-04-10 12:35:01	vstinner	create