Martin Panter <vadmium...@gmail.com> added the comment: The square □ in the strings represents a space.
Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "http://127.0.0.1:25/\r\nHELO . . .". This becomes like the header injection I mentioned in Issue 30458. Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of Issue 22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379". ---------- dependencies: +CRLF Injection in httplib nosy: +martin.panter, orange _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32085> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
