bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538)

reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
This commit is contained in:
Miss Islington (bot) 2020-07-19 02:27:35 -07:00 committed by GitHub
parent eb0d255ffe
commit ca75fec1ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions

View File

@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
# We are more lenient for assumed real world compatibility purposes.
# These characters are not allowed within HTTP method names
# to prevent http header injection.
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
# We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
@ -1109,6 +1113,8 @@ class HTTPConnection:
else:
raise CannotSendRequest(self.__state)
self._validate_method(method)
# Save the method for use later in the response phase
self._method = method
@ -1199,6 +1205,15 @@ class HTTPConnection:
# ASCII also helps prevent CVE-2019-9740.
return request.encode('ascii')
def _validate_method(self, method):
"""Validate a method name for putrequest."""
# prevent http header injection
match = _contains_disallowed_method_pchar_re.search(method)
if match:
raise ValueError(
f"method can't contain control characters. {method!r} "
f"(found at least {match.group()!r})")
def _validate_path(self, url):
"""Validate a url for putrequest."""
# Prevent CVE-2019-9740.

View File

@ -363,6 +363,28 @@ class HeaderTests(TestCase):
self.assertEqual(lines[3], "header: Second: val2")
class HttpMethodTests(TestCase):
def test_invalid_method_names(self):
methods = (
'GET\r',
'POST\n',
'PUT\n\r',
'POST\nValue',
'POST\nHOST:abc',
'GET\nrHost:abc\n',
'POST\rRemainder:\r',
'GET\rHOST:\n',
'\nPUT'
)
for method in methods:
with self.assertRaisesRegex(
ValueError, "method can't contain control characters"):
conn = client.HTTPConnection('example.com')
conn.sock = FakeSocket(None)
conn.request(method=method, url="/")
class TransferEncodingTest(TestCase):
expected_body = b"It's just a flesh wound"

View File

@ -0,0 +1,2 @@
Prevent http header injection by rejecting control characters in
http.client.putrequest(...).