[issue30458] CRLF Injection in httplib

2019-03-15 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: See also https://bugs.python.org/issue36276 for a similar report. I think it's better to raise an error instead of encoding CRLF characters in URL similar to headers. I feel either of the issue and more preferably issue36276 closed as a duplicate

[issue30458] CRLF Injection in httplib

2017-11-25 Thread Martin Panter
Martin Panter added the comment: Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded. urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . .

[issue30458] CRLF Injection in httplib

2017-11-25 Thread Martin Panter
Change by Martin Panter : -- type: -> security ___ Python tracker ___ ___

[issue30458] CRLF Injection in httplib

2017-06-03 Thread Martin Panter
Martin Panter added the comment: You can also inject proper HTTP header fields (or do multiple requests) if you omit the space after the CRLF: urlopen("http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:") Data sent to the server: >>> server = socket(AF_INET, SOCK_STREAM,

[issue30458] CRLF Injection in httplib

2017-06-02 Thread Xiang Zhang
Xiang Zhang added the comment: Looking at the code and the previous issue #22928, CRLF immediately followed by a tab or space (obs-fold: CRLF 1*( SP / HTAB )) is a valid part of a header value so the regex deliberately ignore them. So it looks right to me the url given doesn't raise the same

[issue30458] CRLF Injection in httplib

2017-05-24 Thread Orange
New submission from Orange: Hi, the patch in CVE-2016-5699 can be broke by an addition space. http://www.cvedetails.com/cve/CVE-2016-5699/ https://hg.python.org/cpython/rev/bf3e1c9b80e9 https://hg.python.org/cpython/rev/1c45047c5102 import urllib, urllib2