[issue30458] [security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699)
Jason R. Coombs
report at bugs.python.org
Sat Sep 14 16:38:54 EDT 2019
Jason R. Coombs <jaraco at jaraco.com> added the comment:
This change caused a regression or two captured in issue36274. Essentially, by blocking invalid requests, it's now not possible for a system intentionally to generate invalid requests for testing purposes. As these point releases of Python start making it into the wild, the impact of this change will likely increase.
I think this patch was applied at too low a level. That is, instead of protecting the user inputs, the change protects the programmer's inputs.
I mention this here so those interested can follow the mitigation work happening in issue36274.
----------
nosy: +jaraco
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue30458>
_______________________________________
More information about the Python-bugs-list
mailing list