bpo-38576: Disallow control characters in hostnames in http.client (GH-18995)

Add host validation for control characters for more CVE-2019-18348 protection.
2025-08-04 00:48:58 +00:00 · 2020-03-14 14:56:06 -04:00 · 2020-03-14 14:56:06 -04:00 · 9165addc22
commit 9165addc22
parent 6672c16b1d
4 changed files with 57 additions and 3 deletions
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@ -828,6 +828,8 @@ class HTTPConnection:

        (self.host, self.port) = self._get_hostport(host, port)

+        self._validate_host(self.host)
+
        # This is stored as an instance variable to allow unit
        # tests to replace it with a suitable mockup
        self._create_connection = socket.create_connection
@ -1183,6 +1185,14 @@ class HTTPConnection:
            raise InvalidURL(f"URL can't contain control characters. {url!r} "
                             f"(found at least {match.group()!r})")

+    def _validate_host(self, host):
+        """Validate a host so it doesn't contain control characters."""
+        # Prevent CVE-2019-18348.
+        match = _contains_disallowed_url_pchar_re.search(host)
+        if match:
+            raise InvalidURL(f"URL can't contain control characters. {host!r} "
+                             f"(found at least {match.group()!r})")
+
    def putheader(self, header, *values):
        """Send a request header line to the server.