[Python-Dev] Need help to fix HTTP Header Injection vulnerability
Karthikeyan
tir.karthi at gmail.com
Wed Apr 10 00:30:59 EDT 2019
Thanks Gregory. I think it's a good tradeoff to ensure this validation only
for URLs of http scheme.
I also agree handling newline is little problematic over the years and the
discussion over the level at which validation should occur also prolongs
some of the patches. https://bugs.python.org/issue35906 is another similar
case where splitlines is used but it's better to raise an error and the
proposed fix could be used there too. Victor seemed to wrote a similar PR
like linked one for other urllib functions only to fix similar attack in
ftplib to reject newlines that was eventually fixed only in ftplib
* https://bugs.python.org/issue30713
* https://bugs.python.org/issue29606
Search also brings multiple issues with one duplicate over another that
makes these attacks scattered over the tracker and some edge case missing.
Slightly off topic, the last time I reported a cookie related issue where
the policy can be overriden by third party library I was asked to fix it in
stdlib itself since adding fixes to libraries causes maintenance burden to
downstream libraries to keep up upstream. With urllib being a heavily used
module across ecosystem it's good to have a fix landing in stdlib that
secures downstream libraries encouraging users to upgrade Python too.
Regards,
Karthikeyan S
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190410/6f917f6c/attachment.html>
More information about the Python-Dev
mailing list