Python urllib CRLF injection vulnerability

This is far from uncommon. Back in DEFCON 2017 Orange Tsai gave a talk about inconsistencies in different URL parsing libraries in different languages. The opening example was a single URL that had a different hostname when parsed by urllib, urllib2, and requests. He also demoed examples of using unusual characters like spaces and newlines to talk to Redis or SMTP while pretending to be HTTP.<p>Slides: <a href="https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20presentations&#x2F;DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser%20in-Trending-Programming-Languages-UPDATED.pdf" rel="nofollow">https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20pre...</a>

Python urllib3 maintainer here. urllib3 made a change to be more RFC-compliant in December, and which fixed this issue, but that change has not been released yet. We are in the process of looking into that.<p>I have verified that Requests, which uses us, appears to have its own handling, back at least to requests 2.0 (released in 2013) that prevents this when used directly as an abstraction layer on top of urllib3.

The link should probably be changed to the actual bug: <a href="https:&#x2F;&#x2F;bugs.python.org&#x2F;issue36276" rel="nofollow">https:&#x2F;&#x2F;bugs.python.org&#x2F;issue36276</a>

Relevant (and super cool) previous work, done by Orange Tsai: <a href="https:&#x2F;&#x2F;www.blackhat.com&#x2F;docs&#x2F;us-17&#x2F;thursday&#x2F;us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf" rel="nofollow">https:&#x2F;&#x2F;www.blackhat.com&#x2F;docs&#x2F;us-17&#x2F;thursday&#x2F;us-17-Tsai-A-Ne...</a>

Python 3 urllib and other stdlib protocol modules also use `splitlines` which splits on various unicode &quot;newlines&quot;. Could that also be exploitable somehow? <a href="https:&#x2F;&#x2F;discuss.python.org&#x2F;t&#x2F;changing-str-splitlines-to-match-file-readlines&#x2F;174" rel="nofollow">https:&#x2F;&#x2F;discuss.python.org&#x2F;t&#x2F;changing-str-splitlines-to-matc...</a>

Key takeaway: don&#x27;t expect a library to do the safe thing; always sanitize all your input. (If your language supports taint mode, enabling it can prevent these bugs)

Does anyone know if this also affects the Requests library? Does it use these under the hood, or is it all httplib? (I&#x27;m pretty sure that&#x27;s the case)

seems like an ad for coocoor<p>actual CVE entry: <a href="http:&#x2F;&#x2F;cve.mitre.org&#x2F;cgi-bin&#x2F;cvename.cgi?name=CVE-2019-9740" rel="nofollow">http:&#x2F;&#x2F;cve.mitre.org&#x2F;cgi-bin&#x2F;cvename.cgi?name=CVE-2019-9740</a>

Probably worth checking other implementations. The comments already mention that urllib3 is affected as well.