.. _http-header-injection-method:

http.client: HTTP Header Injection in the HTTP method
=====================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2020-26116>`_.

It is possible to inject HTTP headers via the HTTP method which doesn't
reject newline characters.

Dates:

* Disclosure date: **2020-02-10** (Python issue bpo-39603 reported)

Fixed In
--------

* Python **3.5.10** (2020-09-05) fixed by `commit 524b8de (branch 3.5) <https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40>`_ (2020-09-04)
* Python **3.6.12** (2020-08-15) fixed by `commit f02de96 (branch 3.6) <https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae>`_ (2020-07-19)
* Python **3.7.9** (2020-08-15) fixed by `commit ca75fec (branch 3.7) <https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a>`_ (2020-07-19)
* Python **3.8.5** (2020-07-20) fixed by `commit 668d321 (branch 3.8) <https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf>`_ (2020-07-18)
* Python **3.9.0** (2020-10-05) fixed by `commit 27b8110 (branch 3.9) <https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71>`_ (2020-07-18)

Python issue
------------

[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method.

* Python issue: `bpo-39603 <https://bugs.python.org/issue39603>`_
* Creation date: 2020-02-10
* Reporter: Max

CVE-2020-26116
--------------

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

* CVE ID: `CVE-2020-26116 <https://nvd.nist.gov/vuln/detail/CVE-2020-26116/>`_
* Published: 2020-09-27
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 6.4

Timeline
--------

Timeline using the disclosure date **2020-02-10** as reference:

* 2020-02-10: `Python issue bpo-39603 <https://bugs.python.org/issue39603>`_ reported by Max
* 2020-07-18 (**+159 days**): `commit 27b8110 (branch 3.9) <https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71>`_
* 2020-07-18 (**+159 days**): `commit 668d321 (branch 3.8) <https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf>`_
* 2020-07-19 (**+160 days**): `commit ca75fec (branch 3.7) <https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a>`_
* 2020-07-19 (**+160 days**): `commit f02de96 (branch 3.6) <https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae>`_
* 2020-07-20 (**+161 days**): Python 3.8.5 released
* 2020-08-15 (**+187 days**): Python 3.6.12 released
* 2020-08-15 (**+187 days**): Python 3.7.9 released
* 2020-09-04 (**+207 days**): `commit 524b8de (branch 3.5) <https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40>`_
* 2020-09-05 (**+208 days**): Python 3.5.10 released
* 2020-09-27 (**+230 days**): CVE-2020-26116 published
* 2020-10-05: Python 3.9.0 released