This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients maxpl0it, orsenthil, vstinner
Date 2020-02-11.12:29:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1581424160.53.0.713697873011.issue39603@roundup.psfhosted.org>
In-reply-to
Content
> The recommended solution is to only allow the standard HTTP methods of GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.

I don't think that we have to be so strict. We can maybe restrict the HTTP method to ASCII letters, or just reject control characters (U+0000-U+001f).

Similar issues (fixed):

* https://python-security.readthedocs.io/vuln/http-header-injection2.html
* https://python-security.readthedocs.io/vuln/http-header-injection.html
History
Date User Action Args
2020-02-11 12:29:20vstinnersetrecipients: + vstinner, orsenthil, maxpl0it
2020-02-11 12:29:20vstinnersetmessageid: <1581424160.53.0.713697873011.issue39603@roundup.psfhosted.org>
2020-02-11 12:29:20vstinnerlinkissue39603 messages
2020-02-11 12:29:20vstinnercreate