Python CR/LF Injection Vulnerability in HTTP Client Proxy Tunnel Headers

A vulnerability exists in the Python HTTP client that allows carriage return and line feed (CR/LF) characters to be injected into proxy tunnel headers. This issue can lead to header splitting, a common technique used in HTTP response splitting attacks. The vulnerability is present in the HTTPConnection.set_tunnel() method, where the CR/LF characters are not properly sanitized before the headers are sent.

Impact

This vulnerability could be exploited to perform HTTP header splitting, potentially leading to injection attacks or manipulation of HTTP responses.

Reproduction

To reproduce this vulnerability, create an HTTP connection using the HTTPConnection class. Set a tunnel host that includes CR/LF characters, such as 'invalid .host'. Then, call the ._tunnel() method, which will raise a ValueError indicating that the tunnel host contains control characters. This demonstrates that the CR/LF characters were not properly sanitized, allowing for header injection.

Remediation

Users should update to the latest version of Python, where this vulnerability has been addressed. Instructions for updating can be found in the Python documentation.