http.client: HTTP Header Injection in the HTTP method

It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.

  • Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)

Fixed In

Vulnerable Versions

  • Python 3.6 (need release)
  • Python 3.7 (need release)

Python issue

[security] http.client: HTTP Header Injection in the HTTP method.

  • Python issue: bpo-39603
  • Creation date: 2020-02-10
  • Reporter: Max

Timeline

Timeline using the disclosure date 2020-02-10 as reference: