I have pushed a major update to Command Injection.py.
The untrusted input is changed from URL to host name. Therefore, the security validation rules will be different. It also follows the hostname restriction specified in RFC3696.
If you have previously played this challenge, select “Delete my challenge repository and recreate it” when you start it. A great opportunity to learn how to build a secure hostname parser.
Any issues or feedback, please post here.