diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 9c71be53afd42b..3b87705dedb344 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1036,6 +1036,11 @@ def test_splithost(self):
         self.assertEqual(splithost("//example.net/file#"),
                          ('example.net', '/file#'))
 
+        # bpo-35906: # avoid the header injection
+        self.assertEqual(
+            splithost('//127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: Value'),
+            ('127.0.0.1:1234', '/?q=HTTP/1.1'))
+
     def test_splituser(self):
         splituser = urllib.parse._splituser
         self.assertEqual(splituser('User:Pass@www.python.org:080'),
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index dc2171144fc8ba..5e34a700be31ff 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -1004,8 +1004,13 @@ def _splithost(url):
     match = _hostprog.match(url)
     if match:
         host_port, path = match.groups()
+
+        if path:
+            path = path.splitlines()[0]
+
         if path and path[0] != '/':
             path = '/' + path
+
         return host_port, path
     return None, url
 
diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-02-06-09-28-59.bpo-35906.UUf668.rst b/Misc/NEWS.d/next/Core and Builtins/2019-02-06-09-28-59.bpo-35906.UUf668.rst
new file mode 100644
index 00000000000000..4b7d4b89a9737f
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2019-02-06-09-28-59.bpo-35906.UUf668.rst	
@@ -0,0 +1 @@
+Avoid headers injection with urllib.urlopen.