(repost) Advisory: HTTP Header Injection in Python urllib

Marko Rauhamaa marko at pacujo.net
Sat Jun 18 04:35:20 EDT 2016


Steven D'Aprano <steve at pearwood.info>:

> "Even an unauthenticated service listening on localhost is risky these
> days."
>
> but fall short of *explicitly* recommending that they should be
> authenticated. Although they do *implicitly* do so, by saying that "it
> wouldn't be hard" for such services to include a password.

In the local case, one should consider using local domain sockets
(AF_LOCAL), which can reliably identify the peer's credentials
(SO_PASSCRED, SO_PEERCRED).


Marko


More information about the Python-list mailing list