mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-02 16:13:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-39603: Prevent header injection in http methods (GH-18485)

Browse source 
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
This commit is contained in:
Miss Islington (bot) 2020-07-18 13:41:55 -07:00 committed by GitHub
parent f92544483f
commit 27b811057f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
Lib/test/test_httplib.py
View file

@ -365,6 +365,28 @@ class HeaderTests(TestCase):
self.assertEqual(lines[3], "header: Second: val2")
class HttpMethodTests(TestCase):
def test_invalid_method_names(self):
methods = (
'GET\r',
'POST\n',
'PUT\n\r',
'POST\nValue',
'POST\nHOST:abc',
'GET\nrHost:abc\n',
'POST\rRemainder:\r',
'GET\rHOST:\n',
'\nPUT'
)
for method in methods:
with self.assertRaisesRegex(
ValueError, "method can't contain control characters"):
conn = client.HTTPConnection('example.com')
conn.sock = FakeSocket(None)
conn.request(method=method, url="/")
class TransferEncodingTest(TestCase):
expected_body = b"It's just a flesh wound"