STINNER Victor <vstin...@python.org> added the comment:
> The recommended solution is to only allow the standard HTTP methods of GET, > HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH. I don't think that we have to be so strict. We can maybe restrict the HTTP method to ASCII letters, or just reject control characters (U+0000-U+001f). Similar issues (fixed): * https://python-security.readthedocs.io/vuln/http-header-injection2.html * https://python-security.readthedocs.io/vuln/http-header-injection.html ---------- nosy: +orsenthil, vstinner _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue39603> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
