1. Is there a library of URL / Header injection tests e.g. for fuzzing that we could generate additional test cases with or from?
2. Are requests.get() and requests.post() also vulnerable?
3. Despite the much-heralded UNIX pipe protocols' utility, filenames containing newlines (the de-facto line record delimiter) are possible: "file"$'\n'"name"
Should filenames containing newlines and control characters require a kwarg to be non-None in order to be passed through unescaped to the HTTP request?
On Wednesday, April 10, 2019, Karthikeyan <
tir.karthi@gmail.com> wrote:
Thanks Gregory. I think it's a good tradeoff to ensure this validation only for URLs of http scheme.
I also agree handling newline is little problematic over the years and the discussion over the level at which validation should occur also prolongs some of the patches.
https://bugs.python.org/issue35906 is another similar case where splitlines is used but it's better to raise an error and the proposed fix could be used there too. Victor seemed to wrote a similar PR like linked one for other urllib functions only to fix similar attack in ftplib to reject newlines that was eventually fixed only in ftplib
Search also brings multiple issues with one duplicate over another that makes these attacks scattered over the tracker and some edge case missing. Slightly off topic, the last time I reported a cookie related issue where the policy can be overriden by third party library I was asked to fix it in stdlib itself since adding fixes to libraries causes maintenance burden to downstream libraries to keep up upstream. With urllib being a heavily used module across ecosystem it's good to have a fix landing in stdlib that secures downstream libraries encouraging users to upgrade Python too.
Regards,
Karthikeyan S