[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client
Demian Brecht
report at bugs.python.org
Sat Feb 14 02:07:08 CET 2015
Demian Brecht added the comment:
Here's a patch addressing the potential vulnerability as reported. The patch should also bring the implementation up to date with the most recent standards around header names and values.
> There could be potential for breaking compatibility if people are intentionally sending values with folded lines (obsoleted by the new HTTP RFC).
I think I'm okay with this given line folding seems to have been implemented by passing multiple value parameters (folding was automatically taken care of by the library).
I don't think that this should be merged into anything pre 3.5 as safeguarding /should/ be accounted for by the developer, so I don't think I'd regard this as a high risk security issue. I'm definitely open to debate on that though.
----------
Added file: http://bugs.python.org/file38133/issue22928.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22928>
_______________________________________
More information about the Python-bugs-list
mailing list