Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #110058

(repost) Advisory: HTTP Header Injection in Python urllib

From Paul Rubin <no.email@nospam.invalid>
Newsgroups comp.lang.python
Subject (repost) Advisory: HTTP Header Injection in Python urllib
Date 2016-06-17 11:49 -0700
Organization A noiseless patient Spider
Message-ID <87shwbmz0l.fsf@nightsong.com> (permalink)

Show all headers | View raw


The blog post below is from a couple days ago:

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

It reports that it's possible to inject fake http headers into requests
sent by urllib2(python2) and urllib(python3), by getting the library to
retrieve a url concocted to have a newline followed by other headers.  A
malicious site can do this by redirecting from a normal url to a
concocted one.  It gives examples of some exploits possible with this
trick, against Redis and Memcached.

There's a small HN thread here:
   https://news.ycombinator.com/item?id=11921568

Someone there mentions "Python 3.5.0+, 3.4.4+ and 2.7.9+ are not
vulnerable" since there's been a patch, but some Linux distros still use
older versions.

I don't know the situation with python2 urllib or with the request
library.

The blog post criticizes Redis and Memcached for not using any
authentication (since "safe" internal networks are often not safe) and
makes the interesting claim that even services on localhost should use
authentication these days.

Back to comp.lang.python | Previous | NextNext in thread | Find similar | Unroll thread


Thread

(repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-17 11:49 -0700
  Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-18 11:00 +1000
    Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-17 23:52 -0400
      Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-19 02:02 +1000
        Re: (repost) Advisory: HTTP Header Injection in Python urllib alister <alister.ware@ntlworld.com> - 2016-06-18 16:38 +0000
        Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-18 13:28 -0400
          Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-22 01:27 +1000
            Re: (repost) Advisory: HTTP Header Injection in Python urllib Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-06-21 16:09 +0000
        Re: (repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-18 13:43 -0700
    Re: (repost) Advisory: HTTP Header Injection in Python urllib Marko Rauhamaa <marko@pacujo.net> - 2016-06-18 11:35 +0300

csiph-web