Author xtreak
Recipients cstratak, gregory.p.smith, larry, martin.panter, miss-islington, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-07-04.15:31:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1562254297.7.0.0462757180102.issue30458@roundup.psfhosted.org>
In-reply-to
Content
Okay, the url variable against which the regex check is made is not the full url but the path. The HTTPConnection class sets self.host [0] in the constructor which is used to send the Host header. Perhaps the regex check could be done for the host too given the path check is already done in the previous commit. With that the reported host also throws a http.client.InvalidURL exception.

> A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: https://bugzilla.redhat.com/show_bug.cgi?id=1673465

The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue?

[0] https://github.com/python/cpython/blob/7f41c8e0dd237d1f3f0a1d2ba2f3ee4e4bd400a7/Lib/http/client.py#L829
History
Date User Action Args
2019-07-04 15:31:37xtreaksetrecipients: + xtreak, gregory.p.smith, vstinner, larry, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, ware
2019-07-04 15:31:37xtreaksetmessageid: <1562254297.7.0.0462757180102.issue30458@roundup.psfhosted.org>
2019-07-04 15:31:37xtreaklinkissue30458 messages
2019-07-04 15:31:37xtreakcreate