[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Larry Hastings]

Larry Hastings  added the comment:

> Also note that httplib (python-2.7.18) seems to be affected too. Any 
> particular reason for it not to be listed in the same vulnerability page?

Yes: 2.7 has been end-of-lifed and is no longer supported.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Mauro Matteo Cascella]

Mauro Matteo Cascella  added the comment:

Hello,

CVE-2020-26116 has been requested/assigned for this flaw via MITRE form: 
https://cveform.mitre.org/

I suggest mentioning it in the related vulnerability page: 
https://python-security.readthedocs.io/vuln/http-header-injection-method.html

Also note that httplib (python-2.7.18) seems to be affected too. Any particular 
reason for it not to be listed in the same vulnerability page?

Thank you,

--
nosy: +mcascella

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Larry Hastings]

Larry Hastings  added the comment:


New changeset 524b8de630036a29ca340bc2ae6fd6dc7dda8f40 by Victor Stinner in 
branch '3.5':
bpo-39603: Prevent header injection in http methods (GH-18485) (#21946)
https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[STINNER Victor]

Change by STINNER Victor :


--
pull_requests: +21056
pull_request: https://github.com/python/cpython/pull/21946

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Guido van Rossum]

Guido van Rossum  added the comment:

> It should also include 0x20 (space) since that can also be used to manipulate 
> the request.

Can you indicate how to use a space in the HTTP verb as part of an attack?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Max]

Max  added the comment:

I've just noticed an issue with the current version of the patch. It should 
also include 0x20 (space) since that can also be used to manipulate the request.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Łukasz Langa]

Łukasz Langa  added the comment:


New changeset 580fbb018fd0844806119614d752b41fc69660f9 by Łukasz Langa in 
branch '3.8':
Python 3.8.5
https://github.com/python/cpython/commit/580fbb018fd0844806119614d752b41fc69660f9


--
nosy: +lukasz.langa

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Ned Deily]

Ned Deily  added the comment:

Merged for release in 3.9.0b5, 3.8.5, 3.7.9, and 3.6.12. Thanks, everyone!

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed
versions: +Python 3.10 -Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Ned Deily]

Ned Deily  added the comment:


New changeset f02de961b9f19a5db0ead56305fe0057a78787ae by Miss Islington (bot) 
in branch '3.6':
bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Ned Deily]

Ned Deily  added the comment:


New changeset ca75fec1ed358f7324272608ca952b2d8226d11a by Miss Islington (bot) 
in branch '3.7':
bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538)
https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[M W]

Change by M W :


--
assignee:  -> christian.heimes
components: +SSL
nosy: +M W2, christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

miss-islington  added the comment:


New changeset 27b811057ff5e93b68798e278c88358123efdc71 by Miss Islington (bot) 
in branch '3.9':
bpo-39603: Prevent header injection in http methods (GH-18485)
https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

miss-islington  added the comment:


New changeset 668d321476d974c4f51476b33aaca870272523bf by Miss Islington (bot) 
in branch '3.8':
bpo-39603: Prevent header injection in http methods (GH-18485)
https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Guido van Rossum]

Guido van Rossum  added the comment:

The 3.9 and 3.8 backports are waiting for tests to complete. The 3.7 and 3.6 
backports need to be merged by the RM (Ned). Then someone can close this issue.

--
nosy: +gvanrossum

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

Change by miss-islington :


--
pull_requests: +20681
pull_request: https://github.com/python/cpython/pull/21539

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

Change by miss-islington :


--
pull_requests: +20680
pull_request: https://github.com/python/cpython/pull/21538

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

Change by miss-islington :


--
pull_requests: +20679
pull_request: https://github.com/python/cpython/pull/21537

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

miss-islington  added the comment:


New changeset 8ca8a2e8fb068863c1138f07e3098478ef8be12e by AMIR in branch 
'master':
bpo-39603: Prevent header injection in http methods (GH-18485)
https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[miss-islington]

Change by miss-islington :


--
pull_requests: +20678
pull_request: https://github.com/python/cpython/pull/21536

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Maor Kleinberger]

Maor Kleinberger  added the comment:

Hey, it's been a week since the last activity here...
Amir, if you are not working on it I'd be glad to work on it as well :)

--
nosy: +kmaork

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Welcome to work on the patch, Amir.

* We shouldn't be encoding anything.
* Create reject for Unicode control characters and reject the request if the 
request contains any control character. Write tests for this.

It will similar to one of the examples Victor has shared.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Amir Mohamadi]

Change by Amir Mohamadi :


--
pull_requests: +17858
pull_request: https://github.com/python/cpython/pull/18485

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Amir Mohamadi]

Change by Amir Mohamadi :


--
keywords: +patch
pull_requests: +17850
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/18480

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Amir Mohamadi]

Amir Mohamadi  added the comment:

@vstinner sorry to bother you, I have a quick question.

the request(...) method is like this:

def request(self, method, url, body=None, headers={}, *,  
encode_chunked=False):
"""Send a complete request to the server."""  
self._send_request(method, url, body, headers, encode_chunked)

'request' calls '_send_request' method and '_send_request' calls 'putrequest' 
inside itself.

So is it good if I encode 'method' parameter to ASCII inside 'putrequest'??!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Amir Mohamadi]

Amir Mohamadi  added the comment:

can I work on it?!

--
nosy: +Amir

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Max]

Max  added the comment:

I agree that the solution is quite restrictive.
Restricting to ASCII characters alone would certainly work.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[Karthikeyan Singaravelan]

Change by Karthikeyan Singaravelan :


--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[STINNER Victor]

STINNER Victor  added the comment:

> The recommended solution is to only allow the standard HTTP methods of GET, 
> HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.

I don't think that we have to be so strict. We can maybe restrict the HTTP 
method to ASCII letters, or just reject control characters (U+-U+001f).

Similar issues (fixed):

* https://python-security.readthedocs.io/vuln/http-header-injection2.html
* https://python-security.readthedocs.io/vuln/http-header-injection.html

--
nosy: +orsenthil, vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[STINNER Victor]

Change by STINNER Victor :


--
title: Injection in http.client -> [security] http.client: HTTP Header 
Injection in the HTTP method

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com