[Python-Dev] Need help to fix HTTP Header Injection vulnerability

Victor Stinner vstinner at redhat.com
Tue Apr 9 10:22:56 EDT 2019


In May 2017, user "Orange" found a vulnerability in the urllib fix for
CVE-2016-5699 (HTTP Header Injection vulnerability):

It allows to inject arbitrary HTTP headers.

Copy of their message:

Hi, the patch in CVE-2016-5699 can be broke by an addition space.

import urllib, urllib2

urllib.urlopen('\r\n\x20hihi\r\n :11211')
urllib2.urlopen('\r\n\x20hihi\r\n :11211')

Last month, the same bug has been rediscovered by user "ragdoll.guo":

Almost one year after the bug has been reported, no one came with a solution.

I'm not comfortable with having known security issues impacting HTTP.
Can someone please have a look at the issue and try to write a change
to fix the issue?

According to Karthikeyan Singaravelan, the Go language fixed a similar
issue in Go 1.12: throw an error if the URL contains any control

If we decide that the issue is not a security issue, we should
document the behavior properly and close the issue.

See also this related issue:

   "urlopen URL with unescaped space"

Night gathers, and now my watch begins. It shall not end until my death.

More information about the Python-Dev mailing list