Message 347290 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	rschiron
Recipients	cstratak, gregory.p.smith, larry, martin.panter, miss-islington, orange, rschiron, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date	2019-07-04.17:04:56
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<[email protected]>
In-reply-to

Content
> > A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: https://bugzilla.redhat.com/show_bug.cgi?id=1673465 > The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue? I think this was supposed to refer to CVE-2016-10739 (https://bugzilla.redhat.com/show_bug.cgi?id=1347549)

> > A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: https://bugzilla.redhat.com/show_bug.cgi?id=1673465

> The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue?

I think this was supposed to refer to CVE-2016-10739 (https://bugzilla.redhat.com/show_bug.cgi?id=1347549)

History
Date	User	Action	Args
2019-07-04 17:04:56	rschiron	set	recipients: + rschiron, gregory.p.smith, vstinner, larry, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, xtreak, ware
2019-07-04 17:04:56	rschiron	set	messageid: <[email protected]>
2019-07-04 17:04:56	rschiron	link	issue30458 messages
2019-07-04 17:04:56	rschiron	create