Skip to content

bpo-35906: Fix CRLF injection in urllib #12524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
push0ebp wants to merge 3 commits into from
Closed

bpo-35906: Fix CRLF injection in urllib #12524

push0ebp wants to merge 3 commits into from

Conversation

@push0ebp
Copy link
Contributor

@push0ebp push0ebp commented Mar 24, 2019
edited by bedevere-bot
Loading

Disallowing line break in URL parser.
Although I reported security issue a few months ago, it has not been fixed.
Please patch this vulnerability.

https://bugs.python.org/issue35906

This was referenced Mar 24, 2019
Closed
Closed
@push0ebp push0ebp changed the title bpo-35906: Fix CRLF injection in urllib [3.7] bpo-35906: Fix CRLF injection in urllib (GH-12524) Mar 24, 2019
@push0ebp push0ebp changed the title [3.7] bpo-35906: Fix CRLF injection in urllib (GH-12524) bpo-35906: Fix CRLF injection in urllib Mar 24, 2019
@push0ebp
Copy link
Contributor Author

push0ebp commented Mar 24, 2019

this is not maintenance. but maintenance-branch-pr bot detected this PR to maintenance

@matrixise
Copy link
Member

matrixise commented Mar 24, 2019

Related to this PR #11768

@push0ebp
Copy link
Contributor Author

push0ebp commented Mar 25, 2019

Hi, I am waiting for patching. but they have not patched yet, So I sent a PR again.

@tomashek
Copy link

tomashek commented Apr 4, 2019

Is this the accepted resolution of CVE-2019-9947? If so, what is blocking the merging of this PR?

@push0ebp
Copy link
Contributor Author

push0ebp commented Apr 7, 2019
edited
Loading

Is this the accepted resolution of CVE-2019-9947? If so, what is blocking the merging of this PR?

they have not accepted it yet. I guess that they seem to be interested in this vulnerability. Although I sent a report to Python security a few weeks ago. but they haven't replied.

@csabella
Copy link
Contributor

csabella commented May 29, 2019
edited by bedevere-bot
Loading

Thank you for the patch. Based on the last message on this ticket, this is fixed in bpo-30458, so I'm closing this pull request. Please add a comment to bpo-30458 if you believe needs further discussion. Thanks!

@csabella csabella closed this May 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@push0ebp @matrixise @tomashek @csabella @the-knights-who-say-ni @bedevere-bot