(repost) Advisory: HTTP Header Injection in Python urllib
Paul Rubin
no.email at nospam.invalid
Sat Jun 18 16:43:11 EDT 2016
Steven D'Aprano <steve at pearwood.info> writes:
>> The issue ... is cross-site request forgery.
> Er, you may have missed that I'm talking about a single user setup. Are you
> suggesting that I can't trust myself not to forge a request that goes to a
> hostile site?
I think the idea is you visit some website with malicious script that
accesses your localhost resources from your browser. So it's not a
matter of trusting yourself. Rather, it's one of trusting every website
you visit, including the ad servers they transclude, etc.
More information about the Python-list
mailing list