The blog post below is from a couple days ago: http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
It reports that it's possible to inject fake http headers into requests sent by urllib2(python2) and urllib(python3), by getting the library to retrieve a url concocted to have a newline followed by other headers. A malicious site can do this by redirecting from a normal url to a concocted one. It gives examples of some exploits possible with this trick, against Redis and Memcached. There's a small HN thread here: https://news.ycombinator.com/item?id=11921568 Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not vulnerable" since there's been a patch, but some Linux distros still use older versions. I don't know the situation with python2 urllib or with the request library. The blog post criticizes Redis and Memcached for not using any authentication (since "safe" internal networks are often not safe) and makes the interesting claim that even services on localhost should use authentication these days. -- https://mail.python.org/mailman/listinfo/python-list
