.. _http-header-injection:

HTTP header injection
=====================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2016-5699>`_.

HTTP header injection in ``urllib``, ``urrlib2``, ``httplib`` and
``http.client`` modules.

CRLF injection vulnerability in the ``HTTPConnection.putheader()`` function
in ``urllib2`` and ``urllib`` in CPython before 2.7.10 and 3.x before 3.4.4
allows remote attackers to inject arbitrary HTTP headers via CRLF sequences
in a URL.

Reported again in January 2016 by Timothy D. Morgan (Blindspot Security),
with a full disclosed at 2016-06-15.

Dates:

* Disclosure date: **2014-11-24** (Python issue bpo-22928 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.10** (2015-05-23) fixed by `commit 59bdf63 (branch 2.7) <https://github.com/python/cpython/commit/59bdf6392de446de8a19bfa37cee52981612830e>`_ (2015-03-12)
* Python **3.3.7** (2017-09-19) fixed by `commit 8e88f6b (branch 3.3) <https://github.com/python/cpython/commit/8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1>`_ (2017-07-26)
* Python **3.4.4** (2015-12-20) fixed by `commit a112a8a (branch 3.4) <https://github.com/python/cpython/commit/a112a8ae47813f75aa8ad27ee8c42a7c2e937d13>`_ (2015-03-12)
* Python **3.5.0** (2015-09-12) fixed by `commit a112a8a (branch 3.4) <https://github.com/python/cpython/commit/a112a8ae47813f75aa8ad27ee8c42a7c2e937d13>`_ (2015-03-12)

Python issue
------------

HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).

* Python issue: `bpo-22928 <https://bugs.python.org/issue22928>`_
* Creation date: 2014-11-24
* Reporter: Guido Vranken

CVE-2016-5699
-------------

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

* CVE ID: `CVE-2016-5699 <https://nvd.nist.gov/vuln/detail/CVE-2016-5699/>`_
* Published: 2016-09-02
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

Timeline
--------

Timeline using the disclosure date **2014-11-24** as reference:

* 2014-11-24: `Python issue bpo-22928 <https://bugs.python.org/issue22928>`_ reported by Guido Vranken
* 2015-03-12 (**+108 days**): `commit 59bdf63 (branch 2.7) <https://github.com/python/cpython/commit/59bdf6392de446de8a19bfa37cee52981612830e>`_
* 2015-03-12 (**+108 days**): `commit a112a8a (branch 3.4) <https://github.com/python/cpython/commit/a112a8ae47813f75aa8ad27ee8c42a7c2e937d13>`_
* 2015-05-23 (**+180 days**): Python 2.7.10 released
* 2015-09-12: Python 3.5.0 released
* 2015-12-20 (**+391 days**): Python 3.4.4 released
* 2016-09-02 (**+648 days**): CVE-2016-5699 published
* 2017-07-26 (**+975 days**): `commit 8e88f6b (branch 3.3) <https://github.com/python/cpython/commit/8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1>`_
* 2017-09-19 (**+1030 days**): Python 3.3.7 released

Links
-----

* http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html