[issue30458] [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
STINNER Victor
report at bugs.python.org
Tue May 14 11:09:30 EDT 2019
STINNER Victor <vstinner at redhat.com> added the comment:
I backported the fix from Python 3.7 to Python 2.7: PR 13315.
Please review it carefully, I had to make multiple changes to adapt the fix to Python 2:
* non-ASCII characters are explicitly rejected
* urllib doesn't reject control characters: they are quoted properly, so I addapted test_urllib
* urllib2 doesn't quote the URL and so reject control characters, I added tests to test_urllib2
* I replaced http.client with httplib
* I replaced urllib.request with urllib or urllib2
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue30458>
_______________________________________
More information about the Python-bugs-list
mailing list