[issue36276] Python urllib CRLF injection vulnerability

Change by Charalampos Stratakis : -- nosy: +cstratak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue36276] Python urllib CRLF injection vulnerability

Senthil Kumaran added the comment: I am going to make a note that the Superseder 1) https://bugs.python.org/issue30458 - is listed only as pending request for 2.7 with the intention to raise an Exception. However, this bug demonstrates a vulnerability in all versions of Python (including 3.

[issue36276] Python urllib CRLF injection vulnerability

Change by Karthikeyan Singaravelan : -- superseder: -> CRLF Injection in httplib ___ Python tracker ___ ___ Python-bugs-list mailin

[issue36276] Python urllib CRLF injection vulnerability

Senthil Kumaran added the comment: Marking this as duplicate of issue30458. Thanks for the discussion. -- resolution: -> duplicate stage: -> resolved status: open -> closed ___ Python tracker

[issue36276] Python urllib CRLF injection vulnerability

Karthikeyan Singaravelan added the comment: For reference an exact report on golang repo : https://github.com/golang/go/issues/30794 . This seemed to have been fixed in latest golang release 1.12 and commit https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca . The co

[issue36276] Python urllib CRLF injection vulnerability

ragdoll added the comment: OK -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mai

[issue36276] Python urllib CRLF injection vulnerability

Brett Cannon added the comment: Yep, if it's the same problem then close this as a dupe and just poke the other issue. -- ___ Python tracker ___ _

[issue36276] Python urllib CRLF injection vulnerability

Senthil Kumaran added the comment: Thanks for this report. Should we make this a duplicate of this issue30458 - as they are both referring to the same problem with the underlying library? -- ___ Python tracker

[issue36276] Python urllib CRLF injection vulnerability

Brett Cannon added the comment: And security issues should be reported according to https://www.python.org/news/security/ . -- nosy: +brett.cannon ___ Python tracker ___

[issue36276] Python urllib CRLF injection vulnerability

Change by Karthikeyan Singaravelan : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https

[issue36276] Python urllib CRLF injection vulnerability

Alvin Chang added the comment: I am also seeing the same issue with urllib3 import urllib3 pool_manager = urllib3.PoolManager() host = "localhost:?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" url = "http://"; + host + ":8080/test/?test=a" try: info = pool_manager.request('GET',

[issue36276] Python urllib CRLF injection vulnerability

Karthikeyan Singaravelan added the comment: See also https://bugs.python.org/issue30458#msg295067 -- nosy: +martin.panter, orsenthil, xtreak ___ Python tracker ___ ___

[issue36276] Python urllib CRLF injection vulnerability

New submission from ragdoll : Abstract: A CRLF injection vulnerability of Python built-in urllib module (“urllib2” in 2.x，”urllib” in 3.x) was found by our team. Attacker who has the control of the requesting address parameter, could exploit this vulnerability to manipulate a HTTP header and a