Date: Wed, 15 Jun 2016 09:54:21 -0700 From: Tim <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client > Reproducible on all python versions I tested : 2.4, 2.6, 2.7, 3.4 and 3.5 > > Fixed branches : > 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9 > 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102 > Thank you Cedric! Here are the additional details I promised: http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html The gist of it is that protocol injection can occur not only if an application sets a header based on user-supplied values, but also if the application ever tries to fetch a URL specified by an attacker (SSRF case) OR if the application ever accesses any malicious web server (redirection case). URLs of the following form allow injection into the HTTP stream: http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo http://localhost%00%0d%0ax-bar:%20:12345/foo More details in the blog post, of course. Best regards, tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.