R. David Murray added the comment: This behavior change was part of a security fix, and will appear in the next version of 3.4 as well. See issue 22928. Header names may not contain colons, the colon separator is added when the header is rendered. Detecting and rejecting them guards against header injection attacks.
However, that fix was done in httplib. I think it would also be worthwhile to fix add_header so that it rejects invalid header components when called, instead of only having the check done later in httplib, at a point distant from where the problem occurred. ---------- nosy: +r.david.murray _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue25570> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
