[issue35906] Header Injection in urllib
Martin Panter
report at bugs.python.org
Wed Feb 6 22:34:00 EST 2019
Martin Panter <vadmium+py at gmail.com> added the comment:
Maybe related to Victor's "Issue 1" described in Issue 32085. That is also a security bug about CRLF in the URL's path, but was opened before Issue 30500 was opened and the code changed, so I'm not sure if it is the same as this or not.
Also there is Issue 13359, a proposal to automatically percent-encode invalid URLs. For a security fix, I'm not sure but it might be safer to raise an exception, rather than rewriting the invalid URL to a valid one.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35906>
_______________________________________
More information about the Python-bugs-list
mailing list