8000 bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior by jaraco · Pull Request #16448 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior #16448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Sep 28, 2019
Merged

bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior #16448

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5cc856d
bpo-38216: Allow bypassing input validation
jaraco Sep 20, 2019
8246dbe
bpo-36274: Also allow the URL encoding to be overridden.
jaraco Sep 21, 2019
4ff5de4
bpo-38216, bpo-36274: Add tests demonstrating a hook for overriding v…
jaraco Sep 21, 2019
a643506
Merge branch '38216-putrequest-hooks-tests' into feature/38216-putreq…
jaraco Sep 21, 2019
61a327c
Call with skip_host to avoid tripping on the host checking in the URL.
jaraco Sep 21, 2019
d102611
Remove obsolete comment.
gpshead Sep 27, 2019
020d549
Make _prepare_path_encoding its own attr.
gpshead Sep 27, 2019
12ce942
Add a news entry.
gpshead Sep 27, 2019
f6a9eae
_prepare_path_encoding -> _encode_prepared_path()
gpshead Sep 27, 2019
21624bc
Once again separate the path validation and request encoding, drastic…
jaraco Sep 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading

Uh oh!

There was an error while loading. Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
bpo-38216: Allow bypassing input validation
  • Loading branch information
@jaraco
jaraco committed Sep 20, 2019
commit 5cc856d4a7fa02de526cccf3bf04b4fe38b559ee
12 changes: 8 additions & 4 deletions Lib/http/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1089,10 +1089,7 @@ def putrequest(self, method, url, skip_host=False,
self._method = method
if not url:
url = '/'
# Prevent CVE-2019-9740.
if match := _contains_disallowed_url_pchar_re.search(url):
raise InvalidURL(f"URL can't contain control characters. {url!r} "
f"(found at least {match.group()!r})")
self._validate_url(url)
request = '%s %s %s' % (method, url, self._http_vsn_str)

# Non-ASCII characters should have been eliminated earlier
Expand Down Expand Up @@ -1174,6 +1171,13 @@ def putrequest(self, method, url, skip_host=False,
# For HTTP/1.0, the server will assume "not chunked"
pass

def _validate_url(self, url):
"""Validate a url for putrequest"""
# Prevent CVE-2019-9740.
if match := _contains_disallowed_url_pchar_re.search(url):
raise InvalidURL(f"URL can't contain control characters. {url!r} "
f"(found at least {match.group()!r})")

def putheader(self, header, *values):
"""Send a request header line to the server.

Expand Down
0