[issue39603] [security] http.client: HTTP Header Injection in the HTTP method
STINNER Victor
report at bugs.python.org
Tue Feb 11 07:29:20 EST 2020
STINNER Victor <vstinner at python.org> added the comment:
> The recommended solution is to only allow the standard HTTP methods of GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.
I don't think that we have to be so strict. We can maybe restrict the HTTP method to ASCII letters, or just reject control characters (U+0000-U+001f).
Similar issues (fixed):
* https://python-security.readthedocs.io/vuln/http-header-injection2.html
* https://python-security.readthedocs.io/vuln/http-header-injection.html
----------
nosy: +orsenthil, vstinner
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39603>
_______________________________________
More information about the Python-bugs-list
mailing list