| From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001 |
| From: "Miss Islington (bot)" |
| <31488909+miss-islington@users.noreply.github.com> |
| Date: Sat, 18 Jul 2020 13:39:12 -0700 |
| Subject: [PATCH] bpo-39603: Prevent header injection in http methods |
| (GH-18485) |
| |
| reject control chars in http method in http.client.putrequest to prevent http header injection |
| (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) |
| |
| Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> |
| |
| Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf] |
| CVE: CVE-2020-26116 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| |
| --- |
| Lib/http/client.py | 15 +++++++++++++ |
| Lib/test/test_httplib.py | 22 +++++++++++++++++++ |
| .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++ |
| 3 files changed, 39 insertions(+) |
| create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst |
| |
| diff --git a/Lib/http/client.py b/Lib/http/client.py |
| index 019380a720318..c2ad0471bfee5 100644 |
| --- a/Lib/http/client.py |
| +++ b/Lib/http/client.py |
| @@ -147,6 +147,10 @@ |
| # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") |
| # We are more lenient for assumed real world compatibility purposes. |
| |
| +# These characters are not allowed within HTTP method names |
| +# to prevent http header injection. |
| +_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') |
| + |
| # We always set the Content-Length header for these methods because some |
| # servers will otherwise respond with a 411 |
| _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} |
| @@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, |
| else: |
| raise CannotSendRequest(self.__state) |
| |
| + self._validate_method(method) |
| + |
| # Save the method for use later in the response phase |
| self._method = method |
| |
| @@ -1177,6 +1183,15 @@ def _encode_request(self, request): |
| # ASCII also helps prevent CVE-2019-9740. |
| return request.encode('ascii') |
| |
| + def _validate_method(self, method): |
| + """Validate a method name for putrequest.""" |
| + # prevent http header injection |
| + match = _contains_disallowed_method_pchar_re.search(method) |
| + if match: |
| + raise ValueError( |
| + f"method can't contain control characters. {method!r} " |
| + f"(found at least {match.group()!r})") |
| + |
| def _validate_path(self, url): |
| """Validate a url for putrequest.""" |
| # Prevent CVE-2019-9740. |
| diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py |
| index 8f0e27a1fb836..5a5fcecbc9c15 100644 |
| --- a/Lib/test/test_httplib.py |
| +++ b/Lib/test/test_httplib.py |
| @@ -364,6 +364,28 @@ def test_headers_debuglevel(self): |
| self.assertEqual(lines[3], "header: Second: val2") |
| |
| |
| +class HttpMethodTests(TestCase): |
| + def test_invalid_method_names(self): |
| + methods = ( |
| + 'GET\r', |
| + 'POST\n', |
| + 'PUT\n\r', |
| + 'POST\nValue', |
| + 'POST\nHOST:abc', |
| + 'GET\nrHost:abc\n', |
| + 'POST\rRemainder:\r', |
| + 'GET\rHOST:\n', |
| + '\nPUT' |
| + ) |
| + |
| + for method in methods: |
| + with self.assertRaisesRegex( |
| + ValueError, "method can't contain control characters"): |
| + conn = client.HTTPConnection('example.com') |
| + conn.sock = FakeSocket(None) |
| + conn.request(method=method, url="/") |
| + |
| + |
| class TransferEncodingTest(TestCase): |
| expected_body = b"It's just a flesh wound" |
| |
| diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst |
| new file mode 100644 |
| index 0000000000000..990affc3edd9d |
| --- /dev/null |
| +++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst |
| @@ -0,0 +1,2 @@ |
| +Prevent http header injection by rejecting control characters in |
| +http.client.putrequest(...). |