Message347285
| Author |
xtreak |
| Recipients |
cstratak, gregory.p.smith, larry, martin.panter, miss-islington, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak |
| Date |
2019年07月04日.15:31:37 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1562254297.7.0.0462757180102.issue30458@roundup.psfhosted.org> |
| In-reply-to |
| Content |
Okay, the url variable against which the regex check is made is not the full url but the path. The HTTPConnection class sets self.host [0] in the constructor which is used to send the Host header. Perhaps the regex check could be done for the host too given the path check is already done in the previous commit. With that the reported host also throws a http.client.InvalidURL exception.
> A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: https://bugzilla.redhat.com/show_bug.cgi?id=1673465
The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue?
[0] https://github.com/python/cpython/blob/7f41c8e0dd237d1f3f0a1d2ba2f3ee4e4bd400a7/Lib/http/client.py#L829 |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2019年07月04日 15:31:37 | xtreak | set | recipients:
+ xtreak, gregory.p.smith, vstinner, larry, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, ware |
| 2019年07月04日 15:31:37 | xtreak | set | messageid: <1562254297.7.0.0462757180102.issue30458@roundup.psfhosted.org> |
| 2019年07月04日 15:31:37 | xtreak | link | issue30458 messages |
| 2019年07月04日 15:31:37 | xtreak | create |
|