[issue35906] Header Injection in urllib

Change by Ryan Ware : -- nosy: +ware ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Karthikeyan Singaravelan : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Sihoon Lee : -- pull_requests: -12476 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Sihoon Lee : -- pull_requests: +12476 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Sihoon Lee : -- pull_requests: +12475 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Sihoon Lee : -- pull_requests: -12474 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Sihoon Lee : -- pull_requests: +12474 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Sihoon Lee added the comment: Yes, I thought so. before the commit version i said, the previous version(~3.4.6), raised an exception(no host given~) in urlopen failing parsing host. If this patch wants to be same as the previous version, It is right to raise an exception like the previous

[issue35906] Header Injection in urllib

Martin Panter added the comment: Maybe related to Victor's "Issue 1" described in Issue 32085. That is also a security bug about CRLF in the URL's path, but was opened before Issue 30500 was opened and the code changed, so I'm not sure if it is the same as this or not. Also there is Issue

[issue35906] Header Injection in urllib

Sihoon Lee added the comment: Sorry, I'm late. My review is here. https://github.com/python/cpython/pull/11768 -- ___ Python tracker ___

[issue35906] Header Injection in urllib

Change by Stéphane Wirtel : -- pull_requests: -11730 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Change by Stéphane Wirtel : -- pull_requests: -11731 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

Stéphane Wirtel added the comment: Hi all, Not sure for the right way for this fix but here is a PR. I am interested by your feedback. Thank you -- nosy: +matrixise ___ Python tracker

[issue35906] Header Injection in urllib

Change by Stéphane Wirtel : -- keywords: +patch pull_requests: +11729 stage: -> patch review ___ Python tracker ___ ___

[issue35906] Header Injection in urllib

Change by Stéphane Wirtel : -- keywords: +patch, patch, patch pull_requests: +11729, 11730, 11731 stage: -> patch review ___ Python tracker ___

[issue35906] Header Injection in urllib

Change by Stéphane Wirtel : -- keywords: +patch, patch pull_requests: +11729, 11730 stage: -> patch review ___ Python tracker ___

[issue35906] Header Injection in urllib

Change by Karthikeyan Singaravelan : -- nosy: +martin.panter ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35906] Header Injection in urllib

New submission from Sihoon Lee : this patch can also be broken by path and query string. http://www.cvedetails.com/cve/CVE-2016-5699/ https://bugs.python.org/issue30458 can succeed to inject HTTP header and be more critical by bypassing illegal header check # Vulnerability PoC >>> import

[issue35906] Header Injection in urllib

Change by Raymond Hettinger : -- nosy: +christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: