(repost) Advisory: HTTP Header Injection in Python urllib

Paul Rubin no.email at nospam.invalid
Fri Jun 17 14:49:30 EDT 2016


The blog post below is from a couple days ago:

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

It reports that it's possible to inject fake http headers into requests
sent by urllib2(python2) and urllib(python3), by getting the library to
retrieve a url concocted to have a newline followed by other headers.  A
malicious site can do this by redirecting from a normal url to a
concocted one.  It gives examples of some exploits possible with this
trick, against Redis and Memcached.

There's a small HN thread here:
   https://news.ycombinator.com/item?id=11921568

Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not
vulnerable" since there's been a patch, but some Linux distros still use
older versions.

I don't know the situation with python2 urllib or with the request
library.

The blog post criticizes Redis and Memcached for not using any
authentication (since "safe" internal networks are often not safe) and
makes the interesting claim that even services on localhost should use
authentication these days.


More information about the Python-list mailing list