[issue25570] urllib.request > Request.add_header("abcd", "efgh") fails with character ":" in first parameter string
R. David Murray
report at bugs.python.org
Fri Nov 6 16:08:46 EST 2015
R. David Murray added the comment:
This behavior change was part of a security fix, and will appear in the next version of 3.4 as well. See issue 22928. Header names may not contain colons, the colon separator is added when the header is rendered. Detecting and rejecting them guards against header injection attacks.
However, that fix was done in httplib. I think it would also be worthwhile to fix add_header so that it rejects invalid header components when called, instead of only having the check done later in httplib, at a point distant from where the problem occurred.
----------
nosy: +r.david.murray
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25570>
_______________________________________
More information about the Python-bugs-list
mailing list