[issue30458] CRLF Injection in httplib
Xiang Zhang
report at bugs.python.org
Fri Jun 2 11:36:20 EDT 2017
Xiang Zhang added the comment:
Looking at the code and the previous issue #22928, CRLF immediately followed by a tab or space (obs-fold: CRLF 1*( SP / HTAB )) is a valid part of a header value so the regex deliberately ignore them.
So it looks right to me the url given doesn't raise the same exception as the url without spaces, though the given url seems malformed.
----------
nosy: +martin.panter, serhiy.storchaka, xiang.zhang
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue30458>
_______________________________________
More information about the Python-bugs-list
mailing list