8000 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21… · python/cpython@ca75fec · GitHub
[go: up one dir, main page]

Skip to content 8000

Commit ca75fec

Browse files
bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538)
reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
1 parent eb0d255 commit ca75fec

File tree

3 files changed

+39
-0
lines changed

3 files changed

+39
-0
lines changed

Lib/http/client.py

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,10 @@
150150
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
151151
# We are more lenient for assumed real world compatibility purposes.
152152

153+
# These characters are not allowed within HTTP method names
154+
# to prevent http header injection.
155+
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
156+
153157
# We always set the Content-Length header for these methods because some
154158
# servers will otherwise respond with a 411
155159
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
@@ -1109,6 +1113,8 @@ def putrequest(self, method, url, skip_host=False,
11091113
else:
11101114
raise CannotSendRequest(self.__state)
11111115

1116+
self._validate_method(method)
1117+
11121118
# Save the method for use later in the response phase
11131119
self._method = method
11141120

@@ -1199,6 +1205,15 @@ def _encode_request(self, request):
11991205
# ASCII also helps prevent CVE-2019-9740.
12001206
return request.encode('ascii')
12011207

1208+
def _validate_method(self, method):
1209+
"""Validate a method name for putrequest."""
1210+
# prevent http header injection
1211+
match = _contains_disallowed_method_pchar_re.search(method)
1212+
if match:
1213+
raise ValueError(
1214+
f"method can't contain control characters. {method!r} "
1215+
f"(found at least {match.group()!r})")
1216+
12021217
def _validate_path(self, url):
12031218
"""Validate a url for putrequest."""
12041219
# Prevent CVE-2019-9740.

Lib/test/test_httplib.py

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -363,6 +363,28 @@ def test_headers_debuglevel(self):
363363
self.assertEqual(lines[3], "header: Second: val2")
364364

365365

366+
class HttpMethodTests(TestCase):
367+
def test_invalid_method_names(self):
368+
methods = (
369+
'GET\r',
370+
'POST\n',
371+
'PUT\n\r',
372+
'POST\nValue',
373+
'POST\nHOST:abc',
374+
'GET\nrHost:abc\n',
375+
'POST\rRemainder:\r',
376+
'GET\rHOST:\n',
377+
'\nPUT'
378+
)
379+
380+
for method in methods:
381+
with self.assertRaisesRegex(
382+
ValueError, "method can't contain control characters"):
383+
conn = client.HTTPConnection('example.com')
384+
conn.sock = FakeSocket(None)
385+
conn.request(method=method, url="/")
386+
387+
366388
class TransferEncodingTest(TestCase):
367389
expected_body = b"It's just a flesh wound"
368390

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Prevent http header injection by rejecting control characters in
2+
http.client.putrequest(...).

0 commit comments

Comments
 (0)
0