[Python-Dev] Need help to fix HTTP Header Injection vulnerability
Karthikeyan
tir.karthi at gmail.com
Tue Apr 9 19:45:06 EDT 2019
I would recommend fixing it since it's potentially remote code execution on
systems like Redis (latest versions of Redis have this mitigated) though I
must admit I don't fully understand the complexity since there are multiple
issues linked. Go was also assigned a CVE for linked issue and it seemed to
be the same reporter by username : CVE-2019-9741 . I tried using go's
approach in the commit but urlopen accepts more URLs like data URLs [0]
that seemed to accept \n as a valid case and the patch broke some tests.
Looking at the issue discussion complexity also involves backwards
compatibility. golang also pushed an initial fix that seemed to broke their
internal tests [0] to arrive at a more simpler fix.
[0]
https://github.com/python/cpython/blob/a40681dd5db8deaf05a635eecb91498dac882aa4/Lib/test/test_urllib.py#L482
[1]
https://go-review.googlesource.com/c/go/+/159157/2#message-39c6be13a192bf760f6318ac641b432a6ab8fdc8
--
Regards,
Karthikeyan S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190410/fb03a919/attachment.html>
More information about the Python-Dev
mailing list