(repost) Advisory: HTTP Header Injection in Python urllib

alister alister.ware at ntlworld.com
Sat Jun 18 12:38:06 EDT 2016

On Sun, 19 Jun 2016 02:02:43 +1000, Steven D'Aprano wrote:

> On Sat, 18 Jun 2016 01:52 pm, Random832 wrote:
>> On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
>>> The author doesn't go into details of what sort of attacks against
>>> localhost they're talking about. An unauthenticated service running on
>>> localhost implies, to me, a single-user setup, where presumably the
>>> single-user has admin access to localhost. So I'm not really sure what
>>> "risk" they have
>> The issue - especially clearly in this context, which demonstrates a
>> working exploit for this vulnerability - is cross-site request forgery.
>> Which doesn't technically require the victim service to be HTTP (I
>> remember a proof of concept a while back which would trick a browser
>> into connecting to an IRC server), so long as it can ignore HTTP
>> headers.
> Er, you may have missed that I'm talking about a single user setup. Are
> you suggesting that I can't trust myself not to forge a request that
> goes to a hostile site?
> It's all well and good to say that the application is vulnerable to
> X-site attacks, but how does that relate to a system where I'm the only
> user?

one possible reason I can think of is if for whatever reason your 
computer is infected by malware that malware could make use of the 

"The only way for a reporter to look at a politician is down."
-- H.L. Mencken

More information about the Python-list mailing list