Message347285
Okay, the url variable against which the regex check is made is not the full url but the path. The HTTPConnection class sets self.host [0] in the constructor which is used to send the Host header. Perhaps the regex check could be done for the host too given the path check is already done in the previous commit. With that the reported host also throws a http.client.InvalidURL exception.
> A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: https://bugzilla.redhat.com/show_bug.cgi?id=1673465
The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue?
[0] https://github.com/python/cpython/blob/7f41c8e0dd237d1f3f0a1d2ba2f3ee4e4bd400a7/Lib/http/client.py#L829 |
|
Date |
User |
Action |
Args |
2019-07-04 15:31:37 | xtreak | set | recipients:
+ xtreak, gregory.p.smith, vstinner, larry, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, ware |
2019-07-04 15:31:37 | xtreak | set | messageid: <1562254297.7.0.0462757180102.issue30458@roundup.psfhosted.org> |
2019-07-04 15:31:37 | xtreak | link | issue30458 messages |
2019-07-04 15:31:37 | xtreak | create | |
|