RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 below:

Prevent header injection in http methods (GH-18485) (#21946) · python/cpython@524b8de · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+42

-2

lines changed

Filter options

Misc/NEWS.d/next/Security

Expand file treeCollapse file tree 3 files changed

+42

-2

lines changed Original file line number Diff line number Diff line change


 @@ -151,6 +151,10 @@

151 151


 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")

152 152


 # We are more lenient for assumed real world compatibility purposes.

153 153 154

+
 # These characters are not allowed within HTTP method names

155

+
 # to prevent http header injection.

156

+
 _contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')

157 + 154 158


 # We always set the Content-Length header for these methods because some

155 159


 # servers will otherwise respond with a 411

156 160


 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}


 @@ -985,6 +989,8 @@ def putrequest(self, method, url, skip_host=False,

985 989


 else:

986 990


 raise CannotSendRequest(self.__state)

987 991 992

+
 self._validate_method(method)

993 + 988 994


 # Save the method for use later in the response phase

989 995


 self._method = method

990 996


 @@ -1075,6 +1081,16 @@ def _encode_request(self, request):

1075 1081


 # ASCII also helps prevent CVE-2019-9740.

1076 1082


 return request.encode('ascii')

1077 1083 1084

+
 def _validate_method(self, method):

1085

+
 """Validate a method name for putrequest."""

1086

+
 # prevent http header injection

1087

+
 match = _contains_disallowed_method_pchar_re.search(method)

1088

+
 if match:

1089

+
 raise ValueError(

1090

+
 "method can't contain control characters. %r "

1091

+
 "(found at least %r)"

1092

+
 % (method, match.group()))

1093 + 1078 1094


 def _validate_path(self, url):

1079 1095


 """Validate a url for putrequest."""

1080 1096


 # Prevent CVE-2019-9740.

Original file line number Diff line number Diff line change


 @@ -344,6 +344,28 @@ def test_invalid_headers(self):

344 344


 conn.putheader(name, value)

345 345 346 346 347

+
 class HttpMethodTests(TestCase):

348

+
 def test_invalid_method_names(self):

349

+
 methods = (

350

+
 'GET\r',

351

+
 'POST\n',

352

+
 'PUT\n\r',

353

+
 'POST\nValue',

354

+
 'POST\nHOST:abc',

355

+
 'GET\nrHost:abc\n',

356

+
 'POST\rRemainder:\r',

357

+
 'GET\rHOST:\n',

358

+
 '\nPUT'

359

+
 )

360 + 361

+
 for method in methods:

362

+
 with self.assertRaisesRegex(

363

+
 ValueError, "method can't contain control characters"):

364

+
 conn = client.HTTPConnection('example.com')

365

+
 conn.sock = FakeSocket(None)

366

+
 conn.request(method=method, url="/")

367 + 368 + 347 369


 class BasicTest(TestCase):

348 370


 def test_status_lines(self):

349 371


 # Test HTTP status lines


 @@ -1783,8 +1805,8 @@ def test_tunnel_debuglog(self):

1783 1805 1784 1806


 @support.reap_threads

1785 1807


 def test_main(verbose=None):

1786

-
 support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,

1787

-
 PersistenceTest,

1808

+
 support.run_unittest(HeaderTests, OfflineTest, HttpMethodTests,

1809

+
 BasicTest, TimeoutTest, PersistenceTest,

1788 1810


 HTTPSTest, RequestBodyTest, SourceAddressTest,

1789 1811


 HTTPResponseTest, ExtendedReadTest,

1790 1812


 ExtendedReadTestChunked, TunnelTests)

Original file line number Diff line number Diff line change


 @@ -0,0 +1,2 @@

1

+
 Prevent http header injection by rejecting control characters in

2

+
 http.client.putrequest(...).

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4