Martin Panter <[email protected]> added the comment:
Actually, the CRLF + space can be injected via percent encoding, so just
dealing with literal CRLFs and spaces wouldn’t be enough. You would have to
validate the hostname after it is decoded.
urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/")
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'Host: 127.0.0.1\r\n',
b' SLAVEOF . . . :6379\r\n',
b'Connection: close\r\n',
b'User-Agent: Python-urllib/2.7\r\n',
b'\r\n']
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue30458>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
