[Python-Dev] Need help to fix HTTP Header Injection vulnerability
Victor Stinner
vstinner at redhat.com
Tue Apr 9 10:22:56 EDT 2019
Hi,
In May 2017, user "Orange" found a vulnerability in the urllib fix for
CVE-2016-5699 (HTTP Header Injection vulnerability):
https://bugs.python.org/issue30458
It allows to inject arbitrary HTTP headers.
Copy of their message:
"""
Hi, the patch in CVE-2016-5699 can be broke by an addition space.
http://www.cvedetails.com/cve/CVE-2016-5699/
https://hg.python.org/cpython/rev/bf3e1c9b80e9
https://hg.python.org/cpython/rev/1c45047c5102
import urllib, urllib2
urllib.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211')
urllib2.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211')
"""
Last month, the same bug has been rediscovered by user "ragdoll.guo":
https://bugs.python.org/issue36276
Almost one year after the bug has been reported, no one came with a solution.
I'm not comfortable with having known security issues impacting HTTP.
Can someone please have a look at the issue and try to write a change
to fix the issue?
According to Karthikeyan Singaravelan, the Go language fixed a similar
issue in Go 1.12: throw an error if the URL contains any control
character.
If we decide that the issue is not a security issue, we should
document the behavior properly and close the issue.
See also this related issue:
"urlopen URL with unescaped space"
https://bugs.python.org/issue14826
Victor
--
Night gathers, and now my watch begins. It shall not end until my death.
More information about the Python-Dev
mailing list