[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Ashwin Ramaswami]

Change by Ashwin Ramaswami :


--
pull_requests: +15023
pull_request: https://github.com/python/cpython/pull/15299

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Ned Deily]

Changes by Ned Deily :


--
assignee: georg.brandl -> 
priority: release blocker -> 
resolution:  -> fixed
stage: backport needed -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Ned Deily]

Ned Deily added the comment:


New changeset 8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1 by Ned Deily (Serhiy 
Storchaka) in branch '3.3':
[3.3] bpo-22928: Disabled HTTP header injections in http.client. (#2817)
https://github.com/python/cpython/commit/8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

\A is not needed. match() always matches from the start.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[STINNER Victor]

STINNER Victor added the comment:

> What is the difference between PR 2817 and PR 2861?

Oh crap, I didn't know that you already created a PR. I compared the two PR:

* My PR adds \A at the start of:
   _is_legal_header_name = re.compile(rb'\A[^:\s][^:\r\n]*\Z').match 
* My PR uses blurb, yours modifies Misc/NEWS

The \A was copied from the Python 2.7 commit, since Python 3.3 doesn't have 
fullmatch().

If you are ok to add \A and convert the NEWS entry to blurb, I can abandon my 
duplicated PR.

--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

What is the difference between PR 2817 and PR 2861?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2912

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
nosy: +benjamin.peterson, larry
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
pull_requests: +2870

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Kubilay Kocak]

Changes by Kubilay Kocak :


--
stage: resolved -> backport needed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Ned Deily]

Ned Deily added the comment:

Getting to be the last chance to backport this for 3.3.x.

--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[Serhiy Storchaka]

Changes by Serhiy Storchaka :


--
assignee: serhiy.storchaka -> georg.brandl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[koobs]

Changes by koobs :


--
versions: +Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

[koobs]

koobs added the comment:

3.3 is supported for security related fixes until September 2017 [1], but only 
3.4, 3.5 and 2.7 have received the backport, reopen for outstanding merge

[1] https://docs.python.org/devguide/#status-of-python-branches

Update summary to reflect the RedHat CVE that was assigned to this issue.

--
keywords: +security_issue
nosy: +koobs
resolution: fixed -> 
status: closed -> open
title: HTTP header injection in urrlib2/urllib/httplib/http.client -> HTTP 
header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com