[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] Need help to fix HTTP Header Injection vulnerability

Thanks Gregory. I think it's a good tradeoff to ensure this validation only
for URLs of http scheme.

I also agree handling newline is little problematic over the years and the
discussion over the level at which validation should occur also prolongs
some of the patches. is another similar
case where splitlines is used but it's better to raise an error and the
proposed fix could be used there too. Victor seemed to wrote a similar PR
like linked one for other urllib functions only to fix similar attack in
ftplib to reject newlines that was eventually fixed only in ftplib


Search also brings multiple issues with one duplicate over another that
makes these attacks scattered over the tracker and some edge case missing.
Slightly off topic, the last time I reported a cookie related issue where
the policy can be overriden by third party library I was asked to fix it in
stdlib itself since adding fixes to libraries causes maintenance burden to
downstream libraries to keep up upstream. With urllib being a heavily used
module across ecosystem it's good to have a fix landing in stdlib that
secures downstream libraries encouraging users to upgrade Python too.

Karthikeyan S

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>