(repost) Advisory: HTTP Header Injection in Python urllib

Paul Rubin no.email at nospam.invalid
Fri Jun 17 14:49:30 EDT 2016

The blog post below is from a couple days ago:


It reports that it's possible to inject fake http headers into requests
sent by urllib2(python2) and urllib(python3), by getting the library to
retrieve a url concocted to have a newline followed by other headers.  A
malicious site can do this by redirecting from a normal url to a
concocted one.  It gives examples of some exploits possible with this
trick, against Redis and Memcached.

There's a small HN thread here:

Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not
vulnerable" since there's been a patch, but some Linux distros still use
older versions.

I don't know the situation with python2 urllib or with the request

The blog post criticizes Redis and Memcached for not using any
authentication (since "safe" internal networks are often not safe) and
makes the interesting claim that even services on localhost should use
authentication these days.

More information about the Python-list mailing list