Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

bpo-39603: Prevent header injection in http methods (GH-18485) 

reject control chars in http method in http.client.putrequest to prevent http header injection
This commit is contained in:
AMIR 2020-07-19 00:46:10 +04:30 committed by GitHub
parent 9b01c598ca
commit 8ca8a2e8fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Lib/http/client.py
View File

@ -147,6 +147,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
# We are more lenient for assumed real world compatibility purposes. # We are more lenient for assumed real world compatibility purposes.
# These characters are not allowed within HTTP method names
# to prevent http header injection.
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
# We always set the Content-Length header for these methods because some # We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411 # servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
@ -1102,6 +1106,8 @@ class HTTPConnection:
else: else:
raise CannotSendRequest(self.__state) raise CannotSendRequest(self.__state)
self._validate_method(method)
# Save the method for use later in the response phase # Save the method for use later in the response phase
self._method = method self._method = method
@ -1192,6 +1198,15 @@ class HTTPConnection:
# ASCII also helps prevent CVE-2019-9740. # ASCII also helps prevent CVE-2019-9740.
return request.encode('ascii') return request.encode('ascii')
def _validate_method(self, method):
"""Validate a method name for putrequest."""
# prevent http header injection
match = _contains_disallowed_method_pchar_re.search(method)
if match:
raise ValueError(
f"method can't contain control characters. {method!r} "
f"(found at least {match.group()!r})")
def _validate_path(self, url): def _validate_path(self, url):
"""Validate a url for putrequest.""" """Validate a url for putrequest."""
# Prevent CVE-2019-9740. # Prevent CVE-2019-9740.

22
Lib/test/test_httplib.py
View File

@ -368,6 +368,28 @@ class HeaderTests(TestCase):
self.assertEqual(lines[3], "header: Second: val2") self.assertEqual(lines[3], "header: Second: val2")
class HttpMethodTests(TestCase):
def test_invalid_method_names(self):
methods = (
'GET\r',
'POST\n',
'PUT\n\r',
'POST\nValue',
'POST\nHOST:abc',
'GET\nrHost:abc\n',
'POST\rRemainder:\r',
'GET\rHOST:\n',
'\nPUT'
)
for method in methods:
with self.assertRaisesRegex(
ValueError, "method can't contain control characters"):
conn = client.HTTPConnection('example.com')
conn.sock = FakeSocket(None)
conn.request(method=method, url="/")
class TransferEncodingTest(TestCase): class TransferEncodingTest(TestCase):
expected_body = b"It's just a flesh wound" expected_body = b"It's just a flesh wound"

2
Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst Normal file
View File

@ -0,0 +1,2 @@
Prevent http header injection by rejecting control characters in
http.client.putrequest(...).