Martin Panter added the comment:
You can also inject proper HTTP header fields (or do multiple requests) if you
omit the space after the CRLF:
urlopen("http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:")
Data sent to the server:
>>> server = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
>>> server.bind(("localhost", 8000))
>>> server.listen()
>>> [conn, addr] = server.accept()
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'HEADER: INJECTED\r\n',
b'Ignore: HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'User-Agent: Python-urllib/3.5\r\n',
b'Connection: close\r\n',
b'Host: localhost:8000\r\n',
b'\r\n']
Issue 14826 is already open about how “urlopen” handles spaces, and there is a
patch in Issue 13359 that proposes to also encode newline characters. But if
the CRLF or header injection is a security problem, then 2.7 etc could be
changed to raise an exception (like Issue 22928), or to do percent encoding.
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue30458>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
