From bf8cef58a56933b40e7ec9498ecf69093ee3b653 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith [Google LLC]" <greg@krypto.org>
Date: Wed, 1 May 2019 13:09:04 -0700
Subject: [PATCH 1/2] bpo-30458: Use InvaludURL instead of ValueError.

---
 Lib/http/client.py                                     |  2 +-
 Lib/test/test_urllib.py                                | 10 ++++++----
 .../Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst  |  2 +-
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/Lib/http/client.py b/Lib/http/client.py
index 99d6a68cf42823..f71a062d2b5783 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -1091,7 +1091,7 @@ def putrequest(self, method, url, skip_host=False,
             url = '/'
         # Prevent CVE-2019-9740.
         if match := _contains_disallowed_url_pchar_re.search(url):
-            raise ValueError(f"URL can't contain control characters. {url!r} "
+            raise InvalidURL(f"URL can't contain control characters. {url!r} "
                              f"(found at least {match.group()!r})")
         request = '%s %s %s' % (method, url, self._http_vsn_str)
 
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index c5b23f935b275b..7214492eca9d88 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -343,11 +343,12 @@ def test_url_with_control_char_rejected(self):
                 # calls urllib.parse.quote() on the URL which makes all of the
                 # above attempts at injection within the url _path_ safe.
                 escaped_char_repr = repr(char).replace('\\', r'\\')
+                InvalidURL = http.client.InvalidURL
                 with self.assertRaisesRegex(
-                    ValueError, f"contain control.*{escaped_char_repr}"):
+                    InvalidURL, f"contain control.*{escaped_char_repr}"):
                     urllib.request.urlopen(f"http:{schemeless_url}")
                 with self.assertRaisesRegex(
-                    ValueError, f"contain control.*{escaped_char_repr}"):
+                    InvalidURL, f"contain control.*{escaped_char_repr}"):
                     urllib.request.urlopen(f"https:{schemeless_url}")
                 # This code path quotes the URL so there is no injection.
                 resp = urlopen(f"http:{schemeless_url}")
@@ -367,10 +368,11 @@ def test_url_with_newline_header_injection_rejected(self):
             # urlopen uses FancyURLOpener which goes via a codepath that
             # calls urllib.parse.quote() on the URL which makes all of the
             # above attempts at injection within the url _path_ safe.
+            InvalidURL = http.client.InvalidURL
             with self.assertRaisesRegex(
-                ValueError, r"contain control.*\\r.*(found at least . .)"):
+                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
                 urllib.request.urlopen(f"http:{schemeless_url}")
-            with self.assertRaisesRegex(ValueError, r"contain control.*\\n"):
+            with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
                 urllib.request.urlopen(f"https:{schemeless_url}")
             # This code path quotes the URL so there is no injection.
             resp = urlopen(f"http:{schemeless_url}")
diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
index 4fed4d545040e9..ed8027fb4d6420 100644
--- a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
@@ -1 +1 @@
-Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause a ValueError to be raised.
\ No newline at end of file
+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.

From 7146fb67a8a27131593508c750a370c6e09d5d6a Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith [Google LLC]" <greg@krypto.org>
Date: Wed, 1 May 2019 13:21:02 -0700
Subject: [PATCH 2/2] rename the news file to reference the non-duped issue.

---
 ...-36276.51E-DA.rst => 2019-04-10-08-53-30.bpo-30458.51E-DA.rst} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Misc/NEWS.d/next/Security/{2019-04-10-08-53-30.bpo-36276.51E-DA.rst => 2019-04-10-08-53-30.bpo-30458.51E-DA.rst} (100%)

diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
similarity index 100%
rename from Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
rename to Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst