8000 [3.6] bpo-30458: Disallow control chars in http URLs. (GH-12755) by hroncok · Pull Request #13155 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

[3.6] bpo-30458: Disallow control chars in http URLs. (GH-12755) #13155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 8, 2019
Merged

[3.6] bpo-30458: Disallow control chars in http URLs. (GH-12755) #13155

merged 1 commit into from
May 8, 2019

Conversation

hroncok
Copy link
Contributor
@hroncok hroncok commented May 7, 2019
edited by bedevere-bot
Loading

Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.

Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.

Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)

Co-Authored-By: Miro Hrončok miro@hroncok.cz

https://bugs.python.org/issue30458

@gpshead @hroncok
bpo-30458: Disallow control chars in http URLs. (pythonGH-12755)
50fe2a1 
Disallow control chars in http URLs in urllib.urlopen.  This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.

Disable https related urllib tests on a build without ssl (pythonGH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.

Use http.client.InvalidURL instead of ValueError as the new error case's exception. (pythonGH-13044)

Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
@bedevere-bot bedevere-bot mentioned this pull request May 7, 2019
Merged
@bedevere-bot bedevere-bot added type-bug An unexpected behavior, bug, or error type-security A security issue awaiting review labels May 7, 2019
@gpshead gpshead assigned gpshead and ned-deily and unassigned gpshead May 7, 2019
@ned-deily ned-deily merged commit c50d437 into python:3.6 May 8, 2019
@hroncok hroncok deleted the 3.6-issue30458 branch May 13, 2019 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@ned-deily ned-deily ned-deily approved these changes

Assignees

@ned-deily ned-deily

Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hroncok @gpshead @ned-deily @the-knights-who-say-ni @bedevere-bot
0