On Wed, Apr 10, 2019 at 11:00 AM Ivan Pozdeev via Python-Dev <
python-dev@python.org> wrote:
>
> On 10.04.2019 7:30, Karthikeyan wrote:
>
> Thanks Gregory. I think it's a good tradeoff to ensure this validation
> only for URLs of http scheme.
>
> I also agree handling newline is little problematic
On 10.04.2019 7:30, Karthikeyan wrote:
Thanks Gregory. I think it's a good tradeoff to ensure this validation only for
URLs of http scheme.
I also agree handling newline is little problematic over the years and the discussion over the level at which validation should occur also
prolongs some
> 1. Is there a library of URL / Header injection tests e.g. for fuzzing
> that we could generate additional test cases with or from?
https://github.com/swisskyrepo/PayloadsAllTheThings seems to contain
payload related stuff but not sure how useful it is for URL parsing.
>
> 2. Are requests.get(
Hi,
I dig into Python code history and the bug tracker. I would like to
say that this issue is a work-in-progress since 2004. Different fixes
have been pushed, but there are *A LOT* of open issues:
https://bugs.python.org/issue30458#msg339846
I would suggest to discuss on https://bugs.python.org/
1. Is there a library of URL / Header injection tests e.g. for fuzzing that
we could generate additional test cases with or from?
2. Are requests.get() and requests.post() also vulnerable?
3. Despite the much-heralded UNIX pipe protocols' utility, filenames
containing newlines (the de-facto line
Thanks Gregory. I think it's a good tradeoff to ensure this validation only
for URLs of http scheme.
I also agree handling newline is little problematic over the years and the
discussion over the level at which validation should occur also prolongs
some of the patches. https://bugs.python.org/issu
On Tue, Apr 9, 2019 at 4:45 PM Karthikeyan wrote:
> I would recommend fixing it since it's potentially remote code execution
> on systems like Redis (latest versions of Redis have this mitigated) though
> I must admit I don't fully understand the complexity since there are
> multiple issues linke
I would recommend fixing it since it's potentially remote code execution on
systems like Redis (latest versions of Redis have this mitigated) though I
must admit I don't fully understand the complexity since there are multiple
issues linked. Go was also assigned a CVE for linked issue and it seemed
Hi,
In May 2017, user "Orange" found a vulnerability in the urllib fix for
CVE-2016-5699 (HTTP Header Injection vulnerability):
https://bugs.python.org/issue30458
It allows to inject arbitrary HTTP headers.
Copy of their message:
"""
Hi, the patch in CVE-2016-5699 can be broke by an addition s
