(repost) Advisory: HTTP Header Injection in Python urllib
Paul Rubin
no.email at nospam.invalid
Fri Jun 17 14:49:30 EDT 2016
The blog post below is from a couple days ago:
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
It reports that it's possible to inject fake http headers into requests
sent by urllib2(python2) and urllib(python3), by getting the library to
retrieve a url concocted to have a newline followed by other headers. A
malicious site can do this by redirecting from a normal url to a
concocted one. It gives examples of some exploits possible with this
trick, against Redis and Memcached.
There's a small HN thread here:
https://news.ycombinator.com/item?id=11921568
Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not
vulnerable" since there's been a patch, but some Linux distros still use
older versions.
I don't know the situation with python2 urllib or with the request
library.
The blog post criticizes Redis and Memcached for not using any
authentication (since "safe" internal networks are often not safe) and
makes the interesting claim that even services on localhost should use
authentication these days.
More information about the Python-list
mailing list