RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae below:

Prevent header injection in http methods (GH-18485) (GH-21… · python/cpython@f02de96 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+39

-0

lines changed

Filter options

Misc/NEWS.d/next/Security

Expand file treeCollapse file tree 3 files changed

+39

-0

lines changed Original file line number Diff line number Diff line change


 @@ -151,6 +151,10 @@

151 151


 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")

152 152


 # We are more lenient for assumed real world compatibility purposes.

153 153 154

+
 # These characters are not allowed within HTTP method names

155

+
 # to prevent http header injection.

156

+
 _contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')

157 + 154 158


 # We always set the Content-Length header for these methods because some

155 159


 # servers will otherwise respond with a 411

156 160


 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}


 @@ -1119,6 +1123,8 @@ def putrequest(self, method, url, skip_host=False,

1119 1123


 else:

1120 1124


 raise CannotSendRequest(self.__state)

1121 1125 1126

+
 self._validate_method(method)

1127 + 1122 1128


 # Save the method for use later in the response phase

1123 1129


 self._method = method

1124 1130


 @@ -1209,6 +1215,15 @@ def _encode_request(self, request):

1209 1215


 # ASCII also helps prevent CVE-2019-9740.

1210 1216


 return request.encode('ascii')

1211 1217 1218

+
 def _validate_method(self, method):

1219

+
 """Validate a method name for putrequest."""

1220

+
 # prevent http header injection

1221

+
 match = _contains_disallowed_method_pchar_re.search(method)

1222

+
 if match:

1223

+
 raise ValueError(

1224

+
 f"method can't contain control characters. {method!r} "

1225

+
 f"(found at least {match.group()!r})")

1226 + 1212 1227


 def _validate_path(self, url):

1213 1228


 """Validate a url for putrequest."""

1214 1229


 # Prevent CVE-2019-9740.

Original file line number Diff line number Diff line change


 @@ -359,6 +359,28 @@ def test_headers_debuglevel(self):

359 359


 self.assertEqual(lines[2], "header: Second: val")

360 360 361 361 362

+
 class HttpMethodTests(TestCase):

363

+
 def test_invalid_method_names(self):

364

+
 methods = (

365

+
 'GET\r',

366

+
 'POST\n',

367

+
 'PUT\n\r',

368

+
 'POST\nValue',

369

+
 'POST\nHOST:abc',

370

+
 'GET\nrHost:abc\n',

371

+
 'POST\rRemainder:\r',

372

+
 'GET\rHOST:\n',

373

+
 '\nPUT'

374

+
 )

375 + 376

+
 for method in methods:

377

+
 with self.assertRaisesRegex(

378

+
 ValueError, "method can't contain control characters"):

379

+
 conn = client.HTTPConnection('example.com')

380

+
 conn.sock = FakeSocket(None)

381

+
 conn.request(method=method, url="/")

382 + 383 + 362 384


 class TransferEncodingTest(TestCase):

363 385


 expected_body = b"It's just a flesh wound"

364 386 Original file line number Diff line number Diff line change


 @@ -0,0 +1,2 @@

1

+
 Prevent http header injection by rejecting control characters in

2

+
 http.client.putrequest(...).

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4