8000 [3.6] bpo-39603: Prevent header injection in http methods (GH-18485) by miss-islington · Pull Request #21539 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

[3.6] bpo-39603: Prevent header injection in http methods (GH-18485) #21539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 19, 2020
Merged

[3.6] bpo-39603: Prevent header injection in http methods (GH-18485) #21539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
bpo-39603: Prevent header injection in http methods (GH-18485) 
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
  • Loading branch information
@amiremohamadi @miss-islington
amiremohamadi authored and miss-islington committed Jul 18, 2020
commit ea33946e3adef1baa9e5e17c584f7f63ec864f57
15 changes: 15 additions & 0 deletions Lib/http/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
# We are more lenient for assumed real world compatibility purposes.

# These characters are not allowed within HTTP method names
# to prevent http header injection.
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')

# We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
Expand Down Expand Up @@ -1119,6 +1123,8 @@ def putrequest(self, method, url, skip_host=False,
else:
raise CannotSendRequest(self.__state)

self._validate_method(method)

# Save the method for use later in the response phase
self._method = method

Expand Down Expand Up @@ -1209,6 +1215,15 @@ def _encode_request(self, request):
# ASCII also helps prevent CVE-2019-9740.
return request.encode('ascii')

def _validate_method(self, method):
"""Validate a method name for putrequest."""
# prevent http header injection
match = _contains_disallowed_method_pchar_re.search(method)
if match:
raise ValueError(
f"method can't contain control characters. {method!r} "
f"(found at least {match.group()!r})")

def _validate_path(self, url):
"""Validate a url for putrequest."""
# Prevent CVE-2019-9740.
Expand Down
22 changes: 22 additions & 0 deletions Lib/test/test_httplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,28 @@ def test_headers_debuglevel(self):
self.assertEqual(lines[2], "header: Second: val")


class HttpMethodTests(TestCase):
def test_invalid_method_names(self):
methods = (
'GET\r',
'POST\n',
'PUT\n\r',
'POST\nValue',
'POST\nHOST:abc',
'GET\nrHost:abc\n',
'POST\rRemainder:\r',
'GET\rHOST:\n',
'\nPUT'
)

for method in methods:
with self.assertRaisesRegex(
ValueError, "method can't contain control characters"):
conn = client.HTTPConnection('example.com')
conn.sock = FakeSocket(None)
conn.request(method=method, url="/")


class TransferEncodingTest(TestCase):
expected_body = b"It's just a flesh wound"

Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Prevent http header injection by rejecting control characters in
http.client.putrequest(...).
0