subject:"\[issue39603\] \[security\] http.client\: HTTP Header Injection in the HTTP method"

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-09-28 Thread Larry Hastings

Larry Hastings added the comment: > Also note that httplib (python-2.7.18) seems to be affected too. Any > particular reason for it not to be listed in the same vulnerability page? Yes: 2.7 has been end-of-lifed and is no longer supported. -- ___

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-09-28 Thread Mauro Matteo Cascella

Mauro Matteo Cascella added the comment: Hello, CVE-2020-26116 has been requested/assigned for this flaw via MITRE form: https://cveform.mitre.org/ I suggest mentioning it in the related vulnerability page: https://python-security.readthedocs.io/vuln/http-header-injection-method.html Also

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-09-03 Thread Larry Hastings

Larry Hastings added the comment: New changeset 524b8de630036a29ca340bc2ae6fd6dc7dda8f40 by Victor Stinner in branch '3.5': bpo-39603: Prevent header injection in http methods (GH-18485) (#21946) https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 -- no

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-08-24 Thread STINNER Victor

Change by STINNER Victor : -- pull_requests: +21056 pull_request: https://github.com/python/cpython/pull/21946 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-22 Thread Guido van Rossum

Guido van Rossum added the comment: > It should also include 0x20 (space) since that can also be used to manipulate > the request. Can you indicate how to use a space in the HTTP verb as part of an attack? -- ___ Python tracker

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-22 Thread Max

Max added the comment: I've just noticed an issue with the current version of the patch. It should also include 0x20 (space) since that can also be used to manipulate the request. -- ___ Python tracker

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-20 Thread Łukasz Langa

Łukasz Langa added the comment: New changeset 580fbb018fd0844806119614d752b41fc69660f9 by Łukasz Langa in branch '3.8': Python 3.8.5 https://github.com/python/cpython/commit/580fbb018fd0844806119614d752b41fc69660f9 -- nosy: +lukasz.langa ___ Pytho

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-19 Thread Ned Deily

Ned Deily added the comment: Merged for release in 3.9.0b5, 3.8.5, 3.7.9, and 3.6.12. Thanks, everyone! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed versions: +Python 3.10 -Python 2.7 ___ Python tracker

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-19 Thread Ned Deily

Ned Deily added the comment: New changeset f02de961b9f19a5db0ead56305fe0057a78787ae by Miss Islington (bot) in branch '3.6': bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539) https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae --

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-19 Thread Ned Deily

Ned Deily added the comment: New changeset ca75fec1ed358f7324272608ca952b2d8226d11a by Miss Islington (bot) in branch '3.7': bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538) https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a --

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread M W

Change by M W : -- assignee: -> christian.heimes components: +SSL nosy: +M W2, christian.heimes ___ Python tracker ___ ___ Python-b

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

miss-islington added the comment: New changeset 27b811057ff5e93b68798e278c88358123efdc71 by Miss Islington (bot) in branch '3.9': bpo-39603: Prevent header injection in http methods (GH-18485) https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71 --

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

miss-islington added the comment: New changeset 668d321476d974c4f51476b33aaca870272523bf by Miss Islington (bot) in branch '3.8': bpo-39603: Prevent header injection in http methods (GH-18485) https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf --

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread Guido van Rossum

Guido van Rossum added the comment: The 3.9 and 3.8 backports are waiting for tests to complete. The 3.7 and 3.6 backports need to be merged by the RM (Ned). Then someone can close this issue. -- nosy: +gvanrossum ___ Python tracker

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

Change by miss-islington : -- pull_requests: +20681 pull_request: https://github.com/python/cpython/pull/21539 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

Change by miss-islington : -- pull_requests: +20680 pull_request: https://github.com/python/cpython/pull/21538 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

Change by miss-islington : -- pull_requests: +20679 pull_request: https://github.com/python/cpython/pull/21537 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

miss-islington added the comment: New changeset 8ca8a2e8fb068863c1138f07e3098478ef8be12e by AMIR in branch 'master': bpo-39603: Prevent header injection in http methods (GH-18485) https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e -- nosy: +miss-isling

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-07-18 Thread miss-islington

Change by miss-islington : -- pull_requests: +20678 pull_request: https://github.com/python/cpython/pull/21536 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-18 Thread Maor Kleinberger

Maor Kleinberger added the comment: Hey, it's been a week since the last activity here... Amir, if you are not working on it I'd be glad to work on it as well :) -- nosy: +kmaork ___ Python tracker _

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-12 Thread Senthil Kumaran

Senthil Kumaran added the comment: Welcome to work on the patch, Amir. * We shouldn't be encoding anything. * Create reject for Unicode control characters and reject the request if the request contains any control character. Write tests for this. It will similar to one of the examples Victor

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-12 Thread Amir Mohamadi

Change by Amir Mohamadi : -- pull_requests: +17858 pull_request: https://github.com/python/cpython/pull/18485 ___ Python tracker ___ ___

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-12 Thread Amir Mohamadi

Change by Amir Mohamadi : -- keywords: +patch pull_requests: +17850 stage: -> patch review pull_request: https://github.com/python/cpython/pull/18480 ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread Amir Mohamadi

Amir Mohamadi added the comment: @vstinner sorry to bother you, I have a quick question. the request(...) method is like this: def request(self, method, url, body=None, headers={}, *, encode_chunked=False): """Send a complete request t

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread Amir Mohamadi

Amir Mohamadi added the comment: can I work on it?! -- nosy: +Amir ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubsc

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread Max

Max added the comment: I agree that the solution is quite restrictive. Restricting to ASCII characters alone would certainly work. -- ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread Karthikeyan Singaravelan

Change by Karthikeyan Singaravelan : -- nosy: +xtreak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread STINNER Victor

STINNER Victor added the comment: > The recommended solution is to only allow the standard HTTP methods of GET, > HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH. I don't think that we have to be so strict. We can maybe restrict the HTTP method to ASCII letters, or just reject co

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

2020-02-11 Thread STINNER Victor

Change by STINNER Victor : -- title: Injection in http.client -> [security] http.client: HTTP Header Injection in the HTTP method ___ Python tracker ___ __

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

[issue39603] [security] http.client: HTTP Header Injection in the HTTP method

29 matches

Site Navigation

Mail list logo

Footer information