Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #110058
| From | Paul Rubin <no.email@nospam.invalid> |
|---|---|
| Newsgroups | comp.lang.python |
| Subject | (repost) Advisory: HTTP Header Injection in Python urllib |
| Date | 2016-06-17 11:49 -0700 |
| Organization | A noiseless patient Spider |
| Message-ID | <87shwbmz0l.fsf@nightsong.com> (permalink) |
The blog post below is from a couple days ago: http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html It reports that it's possible to inject fake http headers into requests sent by urllib2(python2) and urllib(python3), by getting the library to retrieve a url concocted to have a newline followed by other headers. A malicious site can do this by redirecting from a normal url to a concocted one. It gives examples of some exploits possible with this trick, against Redis and Memcached. There's a small HN thread here: https://news.ycombinator.com/item?id=11921568 Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not vulnerable" since there's been a patch, but some Linux distros still use older versions. I don't know the situation with python2 urllib or with the request library. The blog post criticizes Redis and Memcached for not using any authentication (since "safe" internal networks are often not safe) and makes the interesting claim that even services on localhost should use authentication these days.
Back to comp.lang.python | Previous | Next — Next in thread | Find similar | Unroll thread
(repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-17 11:49 -0700
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-18 11:00 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-17 23:52 -0400
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-19 02:02 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib alister <alister.ware@ntlworld.com> - 2016-06-18 16:38 +0000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-18 13:28 -0400
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-22 01:27 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-06-21 16:09 +0000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-18 13:43 -0700
Re: (repost) Advisory: HTTP Header Injection in Python urllib Marko Rauhamaa <marko@pacujo.net> - 2016-06-18 11:35 +0300
csiph-web