Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
798736e3
Commit
798736e3
authored
Mar 12, 2015
by
Serhiy Storchaka
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Issue #22928: Disabled HTTP header injections in httplib.
Original patch by Demian Brecht.
parent
8f7d987f
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
98 additions
and
1 deletion
+98
-1
Lib/httplib.py
Lib/httplib.py
+39
-1
Lib/test/test_httplib.py
Lib/test/test_httplib.py
+56
-0
Misc/NEWS
Misc/NEWS
+3
-0
No files found.
Lib/httplib.py
View file @
798736e3
...
...
@@ -68,6 +68,7 @@ Req-sent-unread-response _CS_REQ_SENT <response_class>
from
array
import
array
import
os
import
re
import
socket
from
sys
import
py3kwarning
from
urlparse
import
urlsplit
...
...
@@ -218,6 +219,34 @@ _MAXLINE = 65536
# maximum amount of headers accepted
_MAXHEADERS
=
100
# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
#
# VCHAR = %x21-7E
# obs-text = %x80-FF
# header-field = field-name ":" OWS field-value OWS
# field-name = token
# field-value = *( field-content / obs-fold )
# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
# field-vchar = VCHAR / obs-text
#
# obs-fold = CRLF 1*( SP / HTAB )
# ; obsolete line folding
# ; see Section 3.2.4
# token = 1*tchar
#
# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
# / DIGIT / ALPHA
# ; any VCHAR, except delimiters
#
# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1
# the patterns for both name and value are more leniant than RFC
# definitions to allow for backwards compatibility
_is_legal_header_name
=
re
.
compile
(
r'\
A[^:
\s][^:\r\n]*\
Z
').match
_is_illegal_header_value = re.compile(r'
\
n
(
?!
[
\
t
])
|
\
r
(
?!
[
\
t
\
n
])
').search
class HTTPMessage(mimetools.Message):
...
...
@@ -983,7 +1012,16 @@ class HTTPConnection:
if
self
.
__state
!=
_CS_REQ_STARTED
:
raise
CannotSendHeader
()
hdr
=
'%s: %s'
%
(
header
,
'
\
r
\
n
\
t
'
.
join
([
str
(
v
)
for
v
in
values
]))
header
=
'%s'
%
header
if
not
_is_legal_header_name
(
header
):
raise
ValueError
(
'Invalid header name %r'
%
(
header
,))
values
=
[
str
(
v
)
for
v
in
values
]
for
one_value
in
values
:
if
_is_illegal_header_value
(
one_value
):
raise
ValueError
(
'Invalid header value %r'
%
(
one_value
,))
hdr
=
'%s: %s'
%
(
header
,
'
\
r
\
n
\
t
'
.
join
(
values
))
self
.
_output
(
hdr
)
def
endheaders
(
self
,
message_body
=
None
):
...
...
Lib/test/test_httplib.py
View file @
798736e3
...
...
@@ -145,6 +145,33 @@ class HeaderTests(TestCase):
conn
.
putheader
(
'Content-length'
,
42
)
self
.
assertIn
(
'Content-length: 42'
,
conn
.
_buffer
)
conn
.
putheader
(
'Foo'
,
' bar '
)
self
.
assertIn
(
b'Foo: bar '
,
conn
.
_buffer
)
conn
.
putheader
(
'Bar'
,
'
\
t
baz
\
t
'
)
self
.
assertIn
(
b'Bar:
\
t
baz
\
t
'
,
conn
.
_buffer
)
conn
.
putheader
(
'Authorization'
,
'Bearer mytoken'
)
self
.
assertIn
(
b'Authorization: Bearer mytoken'
,
conn
.
_buffer
)
conn
.
putheader
(
'IterHeader'
,
'IterA'
,
'IterB'
)
self
.
assertIn
(
b'IterHeader: IterA
\
r
\
n
\
t
IterB'
,
conn
.
_buffer
)
conn
.
putheader
(
'LatinHeader'
,
b'
\
xFF
'
)
self
.
assertIn
(
b'LatinHeader:
\
xFF
'
,
conn
.
_buffer
)
conn
.
putheader
(
'Utf8Header'
,
b'
\
xc3
\
x80
'
)
self
.
assertIn
(
b'Utf8Header:
\
xc3
\
x80
'
,
conn
.
_buffer
)
conn
.
putheader
(
'C1-Control'
,
b'next
\
x85
line'
)
self
.
assertIn
(
b'C1-Control: next
\
x85
line'
,
conn
.
_buffer
)
conn
.
putheader
(
'Embedded-Fold-Space'
,
'is
\
r
\
n
allowed'
)
self
.
assertIn
(
b'Embedded-Fold-Space: is
\
r
\
n
allowed'
,
conn
.
_buffer
)
conn
.
putheader
(
'Embedded-Fold-Tab'
,
'is
\
r
\
n
\
t
allowed'
)
self
.
assertIn
(
b'Embedded-Fold-Tab: is
\
r
\
n
\
t
allowed'
,
conn
.
_buffer
)
conn
.
putheader
(
'Key Space'
,
'value'
)
self
.
assertIn
(
b'Key Space: value'
,
conn
.
_buffer
)
conn
.
putheader
(
'KeySpace '
,
'value'
)
self
.
assertIn
(
b'KeySpace : value'
,
conn
.
_buffer
)
conn
.
putheader
(
b'Nonbreak
\
xa0
Space'
,
'value'
)
self
.
assertIn
(
b'Nonbreak
\
xa0
Space: value'
,
conn
.
_buffer
)
conn
.
putheader
(
b'
\
xa0
NonbreakSpace'
,
'value'
)
self
.
assertIn
(
b'
\
xa0
NonbreakSpace: value'
,
conn
.
_buffer
)
def
test_ipv6host_header
(
self
):
# Default host header on IPv6 transaction should wrapped by [] if
# its actual IPv6 address
...
...
@@ -174,6 +201,35 @@ class HeaderTests(TestCase):
self
.
assertEqual
(
resp
.
getheader
(
'First'
),
'val'
)
self
.
assertEqual
(
resp
.
getheader
(
'Second'
),
'val'
)
def
test_invalid_headers
(
self
):
conn
=
httplib
.
HTTPConnection
(
'example.com'
)
conn
.
sock
=
FakeSocket
(
''
)
conn
.
putrequest
(
'GET'
,
'/'
)
# http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no
# longer allowed in header names
cases
=
(
(
b'Invalid
\
r
\
n
Name'
,
b'ValidValue'
),
(
b'Invalid
\
r
Name'
,
b'ValidValue'
),
(
b'Invalid
\
n
Name'
,
b'ValidValue'
),
(
b'
\
r
\
n
InvalidName'
,
b'ValidValue'
),
(
b'
\
r
InvalidName'
,
b'ValidValue'
),
(
b'
\
n
InvalidName'
,
b'ValidValue'
),
(
b' InvalidName'
,
b'ValidValue'
),
(
b'
\
t
InvalidName'
,
b'ValidValue'
),
(
b'Invalid:Name'
,
b'ValidValue'
),
(
b':InvalidName'
,
b'ValidValue'
),
(
b'ValidName'
,
b'Invalid
\
r
\
n
Value'
),
(
b'ValidName'
,
b'Invalid
\
r
Value'
),
(
b'ValidName'
,
b'Invalid
\
n
Value'
),
(
b'ValidName'
,
b'InvalidValue
\
r
\
n
'
),
(
b'ValidName'
,
b'InvalidValue
\
r
'
),
(
b'ValidName'
,
b'InvalidValue
\
n
'
),
)
for
name
,
value
in
cases
:
with
self
.
assertRaisesRegexp
(
ValueError
,
'Invalid header'
):
conn
.
putheader
(
name
,
value
)
class
BasicTest
(
TestCase
):
def
test_status_lines
(
self
):
...
...
Misc/NEWS
View file @
798736e3
...
...
@@ -21,6 +21,9 @@ Core and Builtins
Library
-------
- Issue #22928: Disabled HTTP header injections in httplib.
Original patch by Demian Brecht.
- Issue #23615: Module tarfile is now can be reloaded with imp.reload().
- Issue #22853: Fixed a deadlock when use multiprocessing.Queue at import time.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment