RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf below:

Prevent header injection in http methods (GH-18485) · python/cpython@668d321 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+39

-0

lines changed

Filter options

Misc/NEWS.d/next/Security

Expand file treeCollapse file tree 3 files changed

+39

-0

lines changed Original file line number Diff line number Diff line change


 @@ -147,6 +147,10 @@

147 147


 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")

148 148


 # We are more lenient for assumed real world compatibility purposes.

149 149 150

+
 # These characters are not allowed within HTTP method names

151

+
 # to prevent http header injection.

152

+
 _contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')

153 + 150 154


 # We always set the Content-Length header for these methods because some

151 155


 # servers will otherwise respond with a 411

152 156


 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}


 @@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,

1087 1091


 else:

1088 1092


 raise CannotSendRequest(self.__state)

1089 1093 1094

+
 self._validate_method(method)

1095 + 1090 1096


 # Save the method for use later in the response phase

1091 1097


 self._method = method

1092 1098


 @@ -1177,6 +1183,15 @@ def _encode_request(self, request):

1177 1183


 # ASCII also helps prevent CVE-2019-9740.

1178 1184


 return request.encode('ascii')

1179 1185 1186

+
 def _validate_method(self, method):

1187

+
 """Validate a method name for putrequest."""

1188

+
 # prevent http header injection

1189

+
 match = _contains_disallowed_method_pchar_re.search(method)

1190

+
 if match:

1191

+
 raise ValueError(

1192

+
 f"method can't contain control characters. {method!r} "

1193

+
 f"(found at least {match.group()!r})")

1194 + 1180 1195


 def _validate_path(self, url):

1181 1196


 """Validate a url for putrequest."""

1182 1197


 # Prevent CVE-2019-9740.

Original file line number Diff line number Diff line change


 @@ -364,6 +364,28 @@ def test_headers_debuglevel(self):

364 364


 self.assertEqual(lines[3], "header: Second: val2")

365 365 366 366 367

+
 class HttpMethodTests(TestCase):

368

+
 def test_invalid_method_names(self):

369

+
 methods = (

370

+
 'GET\r',

371

+
 'POST\n',

372

+
 'PUT\n\r',

373

+
 'POST\nValue',

374

+
 'POST\nHOST:abc',

375

+
 'GET\nrHost:abc\n',

376

+
 'POST\rRemainder:\r',

377

+
 'GET\rHOST:\n',

378

+
 '\nPUT'

379

+
 )

380 + 381

+
 for method in methods:

382

+
 with self.assertRaisesRegex(

383

+
 ValueError, "method can't contain control characters"):

384

+
 conn = client.HTTPConnection('example.com')

385

+
 conn.sock = FakeSocket(None)

386

+
 conn.request(method=method, url="/")

387 + 388 + 367 389


 class TransferEncodingTest(TestCase):

368 390


 expected_body = b"It's just a flesh wound"

369 391 Original file line number Diff line number Diff line change


 @@ -0,0 +1,2 @@

1

+
 Prevent http header injection by rejecting control characters in

2

+
 http.client.putrequest(...).

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4