[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2019-08-14 Thread Ashwin Ramaswami
Change by Ashwin Ramaswami : -- pull_requests: +15023 pull_request: https://github.com/python/cpython/pull/15299 ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread Ned Deily
Changes by Ned Deily : -- assignee: georg.brandl -> priority: release blocker -> resolution: -> fixed stage: backport needed -> resolved status: open -> closed ___ Python tracker

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread Ned Deily
Ned Deily added the comment: New changeset 8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1 by Ned Deily (Serhiy Storchaka) in branch '3.3': [3.3] bpo-22928: Disabled HTTP header injections in http.client. (#2817) https://github.com/python/cpython/commit/8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: \A is not needed. match() always matches from the start. -- ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread STINNER Victor
STINNER Victor added the comment: > What is the difference between PR 2817 and PR 2861? Oh crap, I didn't know that you already created a PR. I compared the two PR: * My PR adds \A at the start of: _is_legal_header_name = re.compile(rb'\A[^:\s][^:\r\n]*\Z').match * My PR uses blurb, yours

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: What is the difference between PR 2817 and PR 2861? -- ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-25 Thread STINNER Victor
Changes by STINNER Victor : -- pull_requests: +2912 ___ Python tracker ___ ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-23 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- nosy: +benjamin.peterson, larry priority: normal -> release blocker ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-22 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- pull_requests: +2870 ___ Python tracker ___ ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-22 Thread Kubilay Kocak
Changes by Kubilay Kocak : -- stage: resolved -> backport needed ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2017-07-21 Thread Ned Deily
Ned Deily added the comment: Getting to be the last chance to backport this for 3.3.x. -- nosy: +ned.deily ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2016-07-01 Thread Serhiy Storchaka
Changes by Serhiy Storchaka : -- assignee: serhiy.storchaka -> georg.brandl ___ Python tracker ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2016-07-01 Thread koobs
Changes by koobs : -- versions: +Python 3.3 ___ Python tracker ___ ___

[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)

2016-07-01 Thread koobs
koobs added the comment: 3.3 is supported for security related fixes until September 2017 [1], but only 3.4, 3.5 and 2.7 have received the backport, reopen for outstanding merge [1] https://docs.python.org/devguide/#status-of-python-branches Update summary to reflect the RedHat CVE that was