(repost) Advisory: HTTP Header Injection in Python urllib
random832 at fastmail.com
Sat Jun 18 13:28:56 EDT 2016
On Sat, Jun 18, 2016, at 12:02, Steven D'Aprano wrote:
> Er, you may have missed that I'm talking about a single user setup.
> Are you suggesting that I can't trust myself not to forge a request
> that goes to a hostile site?
> It's all well and good to say that the application is vulnerable to
> X-site attacks, but how does that relate to a system where I'm the
> only user?
I don't think you understand what cross-site request forgery is, unless
your definition of "single user setup" includes not connecting to the
internet at all. The point is that one site causes the client to send a
request (not desired by the user) to another site. That the client is a
single-user system makes no difference.
More information about the Python-list