(repost) Advisory: HTTP Header Injection in Python urllib
Marko Rauhamaa
marko at pacujo.net
Sat Jun 18 04:35:20 EDT 2016
Steven D'Aprano <steve at pearwood.info>:
> "Even an unauthenticated service listening on localhost is risky these
> days."
>
> but fall short of *explicitly* recommending that they should be
> authenticated. Although they do *implicitly* do so, by saying that "it
> wouldn't be hard" for such services to include a password.
In the local case, one should consider using local domain sockets
(AF_LOCAL), which can reliably identify the peer's credentials
(SO_PASSCRED, SO_PEERCRED).
Marko
More information about the Python-list
mailing list