This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-04-10.12:35:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> According to the following message, urllib3 is also vulnerable to HTTP Header Injection: (...)

And the issue has been reported to urllib3:

Copy of the first message:

At there's an issue in Python's urllib that an attacker controlling the request parameter can inject headers by injecting CR/LF chars.

A commenter mentions that the same bug is present in urllib3:

So reporting it here to make sure it gets attention.
Date User Action Args
2019-04-10 12:35:02vstinnersetrecipients: + vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-04-10 12:35:01vstinnersetmessageid: <>
2019-04-10 12:35:01vstinnerlinkissue30458 messages
2019-04-10 12:35:01vstinnercreate