oss-sec mailing list archives
Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 14 Jun 2016 14:16:24 -0700
I would like to request a CVE for a Python header injection flaw in urrlib2/urllib/httplib/http.client. HTTPConnection.putheader() allows unsafe characters, which can be used to inject additional headers. Upstream bug with reproducer : https://bugs.python.org/issue22928
Thank you for requesting a CVE Cedric. I have additional information about this bug, including an additional exploitation path, which I shared with Python security on January 14, 2016. Unfortunately, they have apparently failed to act to notify the public or acquire a CVE. (They stopped responding to me months ago.) I'll post the additional information soon, once I am back at my desk. In the mean time, do you happen to have specific information on which versions of the 2.x and 3.x upstream branches were affected/fixed? Thanks! tim
Current thread:
- CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 14)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Tim (Jun 14)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 15)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Tim (Jun 15)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 17)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Marcus Meissner (Jun 23)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client cve-assign (Jun 23)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 15)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Tim (Jun 14)