http.client: HTTP Header Injection in the HTTP method

It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.

  • Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)

Fixed In

Vulnerable Versions

  • Python 3.6 (need release)
  • Python 3.7 (need release)

Python issue

[security] http.client: HTTP Header Injection in the HTTP method.

  • Python issue: bpo-39603
  • Creation date: 2020-02-10
  • Reporter: Max

CVE-2020-26116

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Timeline

Timeline using the disclosure date 2020-02-10 as reference: