projects / platform / upstream / python.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c506df4) | patch
[CVE-2019-18348] Disallow control characters in hostnames in http.client 79/256779/1
authorJinWang An <jinwang.an@samsung.com>
Tue, 13 Apr 2021 02:23:10 +0000 (11:23 +0900)
committerJinWang An <jinwang.an@samsung.com>
Tue, 13 Apr 2021 02:23:10 +0000 (11:23 +0900)
commitc99de6c0215e8e6a98bba37192a038571b7de3bb
tree5bca85e68b83e9ac085a67e9768017e0344912d3tree | snapshot
parentc506df4b10da984ee2f5c0bf9745cb7314c65c79commit | diff
[CVE-2019-18348] Disallow control characters in hostnames in http.client

An issue was discovered in urllib2 in Python 2.x through 2.7.17
and urllib in Python 3.x through 3.8.0. CRLF injection
is possible if the attacker controls a url parameter,
as demonstrated by the first argument to urllib.request.
urlopen with \r\n (specifically in the host component
of a URL) followed by an HTTP header.

Change-Id: I733ec1d4986c5b638865ed70530f70a3ea0bd524
Signed-off-by: JinWang An <jinwang.an@samsung.com>
Lib/httplib.py diff | blob | history
Lib/test/test_httplib.py diff | blob | history
Lib/test/test_urllib2.py diff | blob | history
Domain: System / Base;