http.client: HTTP Header Injection in the HTTP method

It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.

Dates:

• Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)

Fixed In

• Python 3.5.10 (2020-09-05) fixed by commit 524b8de (branch 3.5) (2020-09-04)
• Python 3.6.12 (2020-08-15) fixed by commit f02de96 (branch 3.6) (2020-07-19)
• Python 3.7.9 (2020-08-15) fixed by commit ca75fec (branch 3.7) (2020-07-19)
• Python 3.8.5 (2020-07-20) fixed by commit 668d321 (branch 3.8) (2020-07-18)
• Python 3.9.0 (2020-10-05) fixed by commit 27b8110 (branch 3.9) (2020-07-18)

Python issue

[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method.

• Python issue: bpo-39603
• Creation date: 2020-02-10
• Reporter: Max

CVE-2020-26116

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

• CVE ID: CVE-2020-26116
• Published: 2020-09-27
• CVSS Score: 6.4

Timeline

Timeline using the disclosure date 2020-02-10 as reference:

• 2020-02-10: Python issue bpo-39603 reported by Max
• 2020-07-18 (+159 days): commit 27b8110 (branch 3.9)
• 2020-07-18 (+159 days): commit 668d321 (branch 3.8)
• 2020-07-19 (+160 days): commit ca75fec (branch 3.7)
• 2020-07-19 (+160 days): commit f02de96 (branch 3.6)
• 2020-07-20 (+161 days): Python 3.8.5 released
• 2020-08-15 (+187 days): Python 3.6.12 released
• 2020-08-15 (+187 days): Python 3.7.9 released
• 2020-09-04 (+207 days): commit 524b8de (branch 3.5)
• 2020-09-05 (+208 days): Python 3.5.10 released
• 2020-09-27 (+230 days): CVE-2020-26116 published
• 2020-10-05: Python 3.9.0 released