8000 bpo-38576: Disallow control characters in hostnames in http.client (G… · python/cpython@9165add · GitHub
[go: up one dir, main page]
Skip to content

Commit 9165add

Browse files
epicfaaceepicfaace
authored
bpo-38576: Disallow control characters in hostnames in http.client (GH-18995)
Add host validation for control characters for more CVE-2019-18348 protection.
1 parent 6672c16 commit 9165add

File tree

4 files changed

+57
-3
lines changed

4 files changed

+57
-3
lines changed

Lib/http/client.py

Lines changed: 10 additions & 0 deletions
< 10000 /tr>
Original file line numberDiff line numberDiff line change
@@ -828,6 +828,8 @@ def __init__(self, host, port=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
828828

829829
(self.host, self.port) = self._get_hostport(host, port)
830830

831+
self._validate_host(self.host)
832+
831833
# This is stored as an instance variable to allow unit
832834
# tests to replace it with a suitable mockup
833835
self._create_connection = socket.create_connection
@@ -1183,6 +1185,14 @@ def _validate_path(self, url):
11831185
raise InvalidURL(f"URL can't contain control characters. {url!r} "
11841186
f"(found at least {match.group()!r})")
11851187

1188+
def _validate_host(self, host):
1189+
"""Validate a host so it doesn't contain control characters."""
1190+
# Prevent CVE-2019-18348.
1191+
match = _contains_disallowed_url_pchar_re.search(host)
1192+
if match:
1193+
raise InvalidURL(f"URL can't contain control characters. {host!r} "
1194+
f"(found at least {match.group()!r})")
1195+
11861196
def putheader(self, header, *values):
11871197
"""Send a request header line to the server.
11881198

Lib/test/test_httplib.py

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1155,7 +1155,7 @@ def run_server():
11551155
thread.join()
11561156
self.assertEqual(result, b"proxied data\n")
11571157

1158-
def test_putrequest_override_validation(self):
1158+
def test_putrequest_override_domain_validation(self):
11591159
"""
11601160
It should be possible to override the default validation
11611161
behavior in putrequest (bpo-38216).
@@ -1168,6 +1168,17 @@ def _validate_path(self, url):
11681168
conn.sock = FakeSocket('')
11691169
conn.putrequest('GET', '/\x00')
11701170

1171+
def test_putrequest_override_host_validation(self):
1172+
class UnsafeHTTPConnection(client.HTTPConnection):
1173+
def _validate_host(self, url):
1174+
pass
1175+
1176+
conn = UnsafeHTTPConnection('example.com\r\n')
1177+
conn.sock = FakeSocket('')
1178+
# set skip_host so a ValueError is not raised upon adding the
1179+
# invalid URL as the value of the "Host:" header
1180+
conn.putrequest('GET', '/', skip_host=1)
1181+
11711182
def test_putrequest_override_encoding(self):
11721183
"""
11731184
It should be possible to override the default encoding

Lib/test/test_urllib.py

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -370,7 +370,7 @@ def test_willclose(self):
370370
self.unfakehttp()
371371

372372
@unittest.skipUnless(ssl, "ssl module required")
373-
def test_url_with_control_char_rejected(self):
373+
def test_url_path_with_control_char_rejected(self):
374374
for char_no in list(range(0, 0x21)) + [0x7f]:
375375
char = chr(char_no)
376376
schemeless_url = f"//localhost:7777/test{char}/"
@@ -397,7 +397,7 @@ def test_url_with_control_char_rejected(self):
397397
self.unfakehttp()
398398

399399
@unittest.skipUnless(ssl, "ssl module required")
400-
def test_url_with_newline_header_injection_rejected(self):
400+
def test_url_path_with_newline_header_injection_rejected(self):
401401
self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
402402
host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
403403
schemeless_url = "//" + host + ":8080/test/?test=a"
@@ -422,6 +422,38 @@ def test_url_with_newline_header_injection_rejected(self):
422422
finally:
423423
self.unfakehttp()
424424

425+
@unittest.skipUnless(ssl, "ssl module required")
426+
def test_url_host_with_control_char_rejected(self):
427+
for char_no in list(range(0, 0x21)) + [0x7f]:
428+
char = chr(char_no)
429+
schemeless_url = f"//localhost{char}/test/"
430+
self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
431+
try:
432+
escaped_char_repr = repr(char).replace('\\', r'\\')
433+
InvalidURL = http.client.InvalidURL
434+
with self.assertRaisesRegex(
435+
InvalidURL, f"contain control.*{escaped_char_repr}"):
436+
urlopen(f"http:{schemeless_url}")
437+
with self.assertRaisesRegex(InvalidURL, f"contain control.*{escaped_char_repr}"):
438+
urlopen(f"https:{schemeless_url}")
439+
finally:
440+
self.unfakehttp()
441+
442+
@unittest.skipUnless(ssl, "ssl module required")
443+
def test_url_host_with_newline_header_injection_rejected(self):
444+
self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
445+
host = "localhost\r\nX-injected: header\r\n"
446+
schemeless_url = "//" + host + ":8080/test/?test=a"
447+
try:
448+
InvalidURL = http.client.InvalidURL
449+
with self.assertRaisesRegex(
450+
InvalidURL, r"contain control.*\\r"):
451+
urlopen(f"http:{schemeless_url}")
452+
with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
453+
urlopen(f"https:{schemeless_url}")
454+
finally:
455+
self.unfakehttp()
456+
425457
def test_read_0_9(self):
426458
# "0.9" response accepted (but not "simple responses" without
427459
# a status line)

Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst

Lines changed: 1 addition & 0 deletions
Original file line 3E6B numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

0 commit comments

Comments
 (0)
0