oss-sec mailing list archives

Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

From: Tim <tim-security () sentinelchicken org>
Date: Tue, 14 Jun 2016 14:16:24 -0700

I would like to request a CVE for a Python header injection flaw in
urrlib2/urllib/httplib/http.client.

HTTPConnection.putheader() allows unsafe characters, which can be used to
inject additional headers.

Upstream bug with reproducer :
https://bugs.python.org/issue22928



Thank you for requesting a CVE Cedric.  I have additional information
about this bug, including an additional exploitation path, which I
shared with Python security on January 14, 2016.  Unfortunately, they
have apparently failed to act to notify the public or acquire a CVE.
(They stopped responding to me months ago.)  I'll post the additional
information soon, once I am back at my desk.

In the mean time, do you happen to have specific information on which
versions of the 2.x and 3.x upstream branches were affected/fixed?

Thanks!
tim

Current thread:

CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 14)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Tim (Jun 14)
  - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 15)
    - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Tim (Jun 15)
    - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Cedric Buissart (Jun 17)
    - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client Marcus Meissner (Jun 23)
    - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client cve-assign (Jun 23)
- Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client cve-assign (Jun 16)