Python (IBB): CRLF Injection in urllib

2019-05-25T10:16:29
ID H1:590020
Type hackerone
Reporter push0ebp
Modified 2020-05-06T02:15:20

Description

Hi. I found CRLF Injection a few months ago. Please refer my bug issue. https://bugs.python.org/issue35906

Thank you

Impact

lead to SSRF. e.g. can exploit a internal redis server to send arbitrary packet data including ascii and non-ascii.