[issue30458] [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
STINNER Victor
report at bugs.python.org
Wed Apr 10 08:35:01 EDT 2019
STINNER Victor <vstinner at redhat.com> added the comment:
> According to the following message, urllib3 is also vulnerable to HTTP Header Injection: (...)
And the issue has been reported to urllib3:
https://github.com/urllib3/urllib3/issues/1553
Copy of the first message:
"""
At https://bugs.python.org/issue36276 there's an issue in Python's urllib that an attacker controlling the request parameter can inject headers by injecting CR/LF chars.
A commenter mentions that the same bug is present in urllib3:
https://bugs.python.org/issue36276#msg337837
So reporting it here to make sure it gets attention.
"""
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue30458>
_______________________________________
More information about the Python-bugs-list
mailing list