Posted by Timothy D. Morgan on Jun 16

Python’s built-in URL library (“urllib2” in 2.x and “urllib” in 3.x)
is vulnerable to protocol stream injection attacks (a.k.a. “smuggling”
attacks) via the http scheme. If an attacker could convince a Python
application using this library to fetch an arbitrary URL, or fetch a
resource from a malicious web server, then these injections could
allow for a great deal of access to certain internal services.

URLs of…