HTTP Header Injection (follow-up of CVE-2016-5699)

HTTP Header Injection, follow-up of CVE-2016-5699.

The fix disallows control chars in HTTP URLs.

This change broke applications sending invalid HTTP requests on purpose: bpo-36274 added private methods to the http.client.HTTPConnection class (_encode_request() and _validate_path()) which can be overriden in a subclass for that.

Note: Python 2 urllib.urlopen(url) always quotes the URL and so is not vulnerable to HTTP Header Injection.

  • Disclosure date: 2017-05-24 (Python issue bpo-30458 reported)

Fixed In

Python issue

[security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699).

  • Python issue: bpo-30458
  • Creation date: 2017-05-24
  • Reporter: Orange

CVE-2019-9740

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.

Timeline

Timeline using the disclosure date 2017-05-24 as reference: