1. Is there a library of URL / Header injection tests e.g. for fuzzing that we could generate additional test cases with or from?
2. Are requests.get() and requests.post() also vulnerable? 3. Despite the much-heralded UNIX pipe protocols' utility, filenames containing newlines (the de-facto line record delimiter) are possible: "file"$'\n'"name" Should filenames containing newlines and control characters require a kwarg to be non-None in order to be passed through unescaped to the HTTP request? On Wednesday, April 10, 2019, Karthikeyan <tir.kar...@gmail.com> wrote: > Thanks Gregory. I think it's a good tradeoff to ensure this validation > only for URLs of http scheme. > > I also agree handling newline is little problematic over the years and the > discussion over the level at which validation should occur also prolongs > some of the patches. https://bugs.python.org/issue35906 is another > similar case where splitlines is used but it's better to raise an error and > the proposed fix could be used there too. Victor seemed to wrote a similar > PR like linked one for other urllib functions only to fix similar attack in > ftplib to reject newlines that was eventually fixed only in ftplib > > * https://bugs.python.org/issue30713 > * https://bugs.python.org/issue29606 > > Search also brings multiple issues with one duplicate over another that > makes these attacks scattered over the tracker and some edge case missing. > Slightly off topic, the last time I reported a cookie related issue where > the policy can be overriden by third party library I was asked to fix it in > stdlib itself since adding fixes to libraries causes maintenance burden to > downstream libraries to keep up upstream. With urllib being a heavily used > module across ecosystem it's good to have a fix landing in stdlib that > secures downstream libraries encouraging users to upgrade Python too. > > Regards, > Karthikeyan S > >>
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com