[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Ned Deily : -- pull_requests: -29746 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Roundup Robot : -- nosy: +python-dev nosy_count: 17.0 -> 18.0 pull_requests: +29746 pull_request: https://github.com/python/cpython/pull/31606 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Kubilay Kocak : -- nosy: +koobs ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Larry Hastings added the comment: New changeset 09d8172837b6985c4ad90ee025f6b5a554a9f0ac by Tapas Kundu in branch '3.5': [3.5] closes bpo-38576: Disallow control characters in hostnames in http.client. (#19300)

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Tapas Kundu : -- pull_requests: +18662 pull_request: https://github.com/python/cpython/pull/19300 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Tapas Kundu : -- nosy: +tapakund nosy_count: 14.0 -> 15.0 pull_requests: +18591 pull_request: https://github.com/python/cpython/pull/19231 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Benjamin Peterson added the comment: New changeset e176e0c105786e9f476758eb5438c57223b65e7f by Matěj Cepl in branch '2.7': [2.7] closes bpo-38576: Disallow control characters in hostnames in http.client. (GH-19052)

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Gregory P. Smith added the comment: marking as a 2.7 release blocker just to get benjamin's RM attention before the final 2.7. -- assignee: gregory.p.smith -> benjamin.peterson nosy: +benjamin.peterson priority: high -> release blocker stage: resolved -> patch review status: closed

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Matej Cepl : -- pull_requests: +18403 pull_request: https://github.com/python/cpython/pull/19052 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Gregory P. Smith added the comment: If anyone cares about 2.7, the *final* release is coming up in a few weeks. They'll need to figure out what it looks like there and get a 2.7 PR reviewed by the release manager. -- resolution: -> fixed stage: patch review -> resolved status:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Ned Deily added the comment: New changeset 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba by Miss Islington (bot) in branch '3.6': bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

miss-islington added the comment: New changeset 34f85af3229f86c004a954c3f261ceea1f5e9f95 by Miss Islington (bot) in branch '3.7': bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) https://github.com/python/cpython/commit/34f85af3229f86c004a954c3f261ceea1f5e9f95

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

miss-islington added the comment: New changeset ff69c9d12c1b06af58e5eae5db4630cedd94740e by Miss Islington (bot) in branch '3.8': bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) https://github.com/python/cpython/commit/ff69c9d12c1b06af58e5eae5db4630cedd94740e

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Gregory P. Smith added the comment: Thanks for the PR Ashwin! -- assignee: -> gregory.p.smith ___ Python tracker ___ ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Gregory P. Smith added the comment: New changeset 9165addc22d05e776a54319a8531ebd0b2fe01ef by Ashwin Ramaswami in branch 'master': bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) https://github.com/python/cpython/commit/9165addc22d05e776a54319a8531ebd0b2fe01ef

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by miss-islington : -- nosy: +miss-islington nosy_count: 11.0 -> 12.0 pull_requests: +18348 pull_request: https://github.com/python/cpython/pull/19000 ___ Python tracker

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by miss-islington : -- pull_requests: +18350 pull_request: https://github.com/python/cpython/pull/19002 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by miss-islington : -- pull_requests: +18349 pull_request: https://github.com/python/cpython/pull/19001 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Ashwin Ramaswami : -- keywords: +patch nosy: +epicfaace nosy_count: 10.0 -> 11.0 pull_requests: +18342 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/18995 ___ Python tracker

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Ryan Ware : -- nosy: +ware ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Matej Cepl added the comment: Just to say this is reproducible only on rather old enterprise Linux distributions, where CVE-2016-10739 bug in glibc has not been fixed. I believe it means RHEL-6, SUSE SLE-10, 11, 12 (not sure whether it applies to some old Debian as well). --

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Matej Cepl : -- nosy: +mcepl ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Gregory P. Smith : -- priority: normal -> high ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Riccardo Schirone added the comment: The glibc issue mentioned in the first comment is CVE-2016-10739 . -- ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Justin Capella added the comment: Can't see the specifics of that "restricted" redhat bug, but this was interesting bug and I wanted to ask if perhaps the domain in such cases should be IDN / punycoded ://xn--n28h.ws/ for example is ://.la -- nosy: +b1tninja

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by kim : -- nosy: +kim ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by STINNER Victor : -- components: +Library (Lib) versions: +Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 ___ Python tracker ___

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Anselmo Melo : -- nosy: +Anselmo Melo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Gregory P. Smith : -- stage: -> needs patch ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Gregory P. Smith : -- nosy: +gregory.p.smith ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by Charalampos Stratakis : -- nosy: +cstratak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38576] CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Change by STINNER Victor : -- title: CVE-2019-18348 CRLF injection via the host part of the url passed to urlopen() -> CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() ___ Python tracker

[issue38576] CVE-2019-18348 CRLF injection via the host part of the url passed to urlopen()

Change by Karthikeyan Singaravelan : -- nosy: +vstinner, xtreak ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue38576] CVE-2019-18348 CRLF injection via the host part of the url passed to urlopen()

New submission from Riccardo Schirone : Copy-pasted from https://bugs.python.org/issue30458#msg347282 The commit b7378d77289c911ca6a0c0afaf513879002df7d5 is incomplete: it doesn't seem to check for control characters in the "host" part of the URL, only in the "path" part of