bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538)
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb
)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
This commit is contained in:
parent
eb0d255ffe
commit
ca75fec1ed
|
@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
|||
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
|
||||
# We are more lenient for assumed real world compatibility purposes.
|
||||
|
||||
# These characters are not allowed within HTTP method names
|
||||
# to prevent http header injection.
|
||||
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
|
||||
|
||||
# We always set the Content-Length header for these methods because some
|
||||
# servers will otherwise respond with a 411
|
||||
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
|
||||
|
@ -1109,6 +1113,8 @@ class HTTPConnection:
|
|||
else:
|
||||
raise CannotSendRequest(self.__state)
|
||||
|
||||
self._validate_method(method)
|
||||
|
||||
# Save the method for use later in the response phase
|
||||
self._method = method
|
||||
|
||||
|
@ -1199,6 +1205,15 @@ class HTTPConnection:
|
|||
# ASCII also helps prevent CVE-2019-9740.
|
||||
return request.encode('ascii')
|
||||
|
||||
def _validate_method(self, method):
|
||||
"""Validate a method name for putrequest."""
|
||||
# prevent http header injection
|
||||
match = _contains_disallowed_method_pchar_re.search(method)
|
||||
if match:
|
||||
raise ValueError(
|
||||
f"method can't contain control characters. {method!r} "
|
||||
f"(found at least {match.group()!r})")
|
||||
|
||||
def _validate_path(self, url):
|
||||
"""Validate a url for putrequest."""
|
||||
# Prevent CVE-2019-9740.
|
||||
|
|
|
@ -363,6 +363,28 @@ class HeaderTests(TestCase):
|
|||
self.assertEqual(lines[3], "header: Second: val2")
|
||||
|
||||
|
||||
class HttpMethodTests(TestCase):
|
||||
def test_invalid_method_names(self):
|
||||
methods = (
|
||||
'GET\r',
|
||||
'POST\n',
|
||||
'PUT\n\r',
|
||||
'POST\nValue',
|
||||
'POST\nHOST:abc',
|
||||
'GET\nrHost:abc\n',
|
||||
'POST\rRemainder:\r',
|
||||
'GET\rHOST:\n',
|
||||
'\nPUT'
|
||||
)
|
||||
|
||||
for method in methods:
|
||||
with self.assertRaisesRegex(
|
||||
ValueError, "method can't contain control characters"):
|
||||
conn = client.HTTPConnection('example.com')
|
||||
conn.sock = FakeSocket(None)
|
||||
conn.request(method=method, url="/")
|
||||
|
||||
|
||||
class TransferEncodingTest(TestCase):
|
||||
expected_body = b"It's just a flesh wound"
|
||||
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
Prevent http header injection by rejecting control characters in
|
||||
http.client.putrequest(...).
|
Loading…
Reference in New Issue