[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

STINNER Victor added the comment: Oh, I didn't recall that this issue (this class of security vulnerabilities) has a so old history. I found *A LOT* of similar open issues. Here are my notes. Maybe most open issues should be closed as duplicate of this one to clarify the status of urllib in

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

Change by STINNER Victor : -- versions: +Python 3.5, Python 3.6, Python 3.7, Python 3.8 ___ Python tracker ___ ___ Python-bugs-list

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

Gregory P. Smith added the comment: Martin claimed "Actually, the CRLF + space can be injected via percent encoding" I am unable to reproduce that behavior using urllib.request.urlopen() or urllib.request.URLopener.open() in my master/3.8 tree. -- nosy: +gregory.p.smith

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

Change by Gregory P. Smith : -- assignee: -> gregory.p.smith ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

Change by Gregory P. Smith : -- keywords: +patch pull_requests: +12688 stage: -> patch review ___ Python tracker ___ ___

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

Change by Ryan Ware : -- nosy: +ware ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue30458] [CVE-2019-9740][security] CRLF Injection in httplib

STINNER Victor added the comment: The CVE-2019-9740 has been assigned to the bpo-36276: * https://nvd.nist.gov/vuln/detail/CVE-2019-9740 * https://bugzilla.redhat.com/show_bug.cgi?id=1692984 ... which has been marked as a duplicate of this issue. -- nosy: +vstinner title: CRLF