[issue37093] http.client aborts header parsing upon encountering non-ASCII header names

Tim Burke added the comment: Note that because http.server uses http.client to parse headers [0], this can pose a request-smuggling vector depending on how you've designed your system. For example, you might have a storage system with a user-facing HTTP server that is in char

[issue38216] Fix for issue30458 (HTTP Header Injection) prevents crafting invalid requests

Tim Burke added the comment: Something like this for 3.7, say? I should probably go add some tests in test_httplib.py (for example, to demonstrate that http.client can still send a raw #, even if urllib appropriately drops the fragment), but I wanted some feedback on whether this is even an

[issue38216] Fix for issue30458 prevents crafting invalid requests

Tim Burke added the comment: > Since at least one project is known to have been impacted, it's not > unreasonable to expect that more will be. I can confirm at least one other: OpenStack Swift's stable jobs have been broken by https://github.com/python/cpython/commit/bb80

[issue38216] Fix for issue30458 prevents crafting invalid requests

Change by Tim Burke : -- nosy: +tburke ___ Python tracker <https://bugs.python.org/issue38216> ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue36274] http.client cannot send non-ASCII request lines

Tim Burke added the comment: Fair enough. Seems kinda related to https://bugs.python.org/issue30458 -- looks like it was a fun one ;-) I think either approach would work for me; my existing work-around doesn't preclude either, particularly since I want it purely for testing purposes.

[issue37093] http.client aborts header parsing upon encountering non-ASCII header names

Change by Tim Burke : -- keywords: +patch pull_requests: +13672 stage: test needed -> patch review pull_request: https://github.com/python/cpython/pull/13788 ___ Python tracker <https://bugs.python.org/issu

[issue37093] http.client aborts header parsing upon encountering non-ASCII header names

New submission from Tim Burke : First, spin up a fairly trivial http server: import wsgiref.simple_server def app(environ, start_response): start_response('200 OK', [ ('Some-Canonical', 'headers'), ('sOme-CRAz

[issue36274] http.client cannot send non-ASCII request lines

Change by Tim Burke : -- pull_requests: +12289 ___ Python tracker <https://bugs.python.org/issue36274> ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue36274] http.client cannot send non-ASCII request lines

Change by Tim Burke : -- keywords: +patch pull_requests: +12288 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue36274> ___ ___ Python-

[issue36274] http.client cannot send non-ASCII request lines

New submission from Tim Burke : While the RFCs are rather clear that non-ASCII data would be out of spec, * that doesn't prevent a poorly-behaved client from sending non-ASCII bytes on the wire, which means * as an application developer, it's useful to be able to mimic such a client

[issue34698] urllib.request.Request.set_proxy doesn't (necessarily) replace type

New submission from Tim Burke : Not sure if this is a documentation or behavior bug, but... the docs for urllib.request.Request.set_proxy (https://docs.python.org/3/library/urllib.request.html#urllib.request.Request.set_proxy) say > Prepare the request by connecting to a proxy server. *

[issue33973] HTTP request-line parsing splits on Unicode whitespace

Change by Tim Burke : -- keywords: +patch pull_requests: +7539 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue33973> ___ ___ Python-

[issue33973] HTTP request-line parsing splits on Unicode whitespace

New submission from Tim Burke : This causes (admittedly, buggy) clients that would work with a Python 2 server to stop working when the server upgrades to Python 3. To demonstrate, run `python2.7 -m SimpleHTTPServer 8027` in one terminal and `curl -v http://127.0.0.1:8027/你好` in another