Message 132393 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Felix.Gröbert
Recipients	Felix.Gröbert, pje
Date	2011-03-28.11:23:32
SpamBayes Score	0.0068518324
Marked as misclassified	No
Message-id	<AANLkTiks6jALPpZ1kaOcXMByjTwO7X=8FCQvKUgWv+oT@mail.gmail.com>
In-reply-to	<1301078492.99.0.856467822453.issue11671@psf.upfronthosting.co.za>

Content
If the spec forbids control characters in headers, the module should enforce that. The most frequent example of header injection is the redirect-case: an application is forwarding using the Location header to a user-supplied URL. http://google.com/codesearch?as_q=self.redirect%5C%28self.request.get Other examples are proxies, setting user-agent, or, as you mention, custom set-cookies headers.

If the spec forbids control characters in headers, the module should
enforce that.

The most frequent example of header injection is the redirect-case: an
application is forwarding using the Location header to a user-supplied
URL.
http://google.com/codesearch?as_q=self.redirect%5C%28self.request.get
Other examples are proxies, setting user-agent, or, as you mention,
custom set-cookies headers.

History
Date	User	Action	Args
2011-03-28 11:23:32	Felix.Gröbert	set	recipients: + Felix.Gröbert, pje
2011-03-28 11:23:32	Felix.Gröbert	link	issue11671 messages
2011-03-28 11:23:32	Felix.Gröbert	create