[Python-Dev] Need help to fix HTTP Header Injection vulnerability
Thanks Gregory. I think it's a good tradeoff to ensure this validation only
for URLs of http scheme.
I also agree handling newline is little problematic over the years and the
discussion over the level at which validation should occur also prolongs
some of the patches. https://bugs.python.org/issue35906 is another similar
case where splitlines is used but it's better to raise an error and the
proposed fix could be used there too. Victor seemed to wrote a similar PR
like linked one for other urllib functions only to fix similar attack in
ftplib to reject newlines that was eventually fixed only in ftplib
Search also brings multiple issues with one duplicate over another that
makes these attacks scattered over the tracker and some edge case missing.
Slightly off topic, the last time I reported a cookie related issue where
the policy can be overriden by third party library I was asked to fix it in
stdlib itself since adding fixes to libraries causes maintenance burden to
downstream libraries to keep up upstream. With urllib being a heavily used
module across ecosystem it's good to have a fix landing in stdlib that
secures downstream libraries encouraging users to upgrade Python too.
-------------- next part --------------
An HTML attachment was scrubbed...