Skip to content

bpo-39603: Prevent header injection in http methods #18485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 18, 2020
Merged

bpo-39603: Prevent header injection in http methods #18485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
afb7ee6
reject control characters within http method name
amiremohamadi Feb 12, 2020
b14bd48
Update 2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
amiremohamadi Feb 12, 2020
31ae513
add test for rejecting bad HTTP method names
amiremohamadi Feb 12, 2020
5d9825f
Merge branch 'fix-http-header-injection' of github.com:amiremohamadi/…
amiremohamadi Feb 12, 2020
26ae130
fix comment position
amiremohamadi Jul 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions Lib/http/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,10 @@
# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
# We are more lenient for assumed real world compatibility purposes.

# These characters are not allowed within HTTP method names
# to prevent http header injection.
_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')

# We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
Expand Down Expand Up @@ -1085,6 +1089,8 @@ def putrequest(self, method, url, skip_host=False,
else:
raise CannotSendRequest(self.__state)

self._validate_method(method)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Placing the validation right behind this comment is somewhat misleading -- the comment explains the assignment, but the validation is not just for the assignment -- its primary use is for the construction of the request variable a few lines nelow (L1099 in this version). I recommend moving this up and placing blank lines around it.


# Save the method for use later in the response phase
self._method = method

Expand Down Expand Up @@ -1175,6 +1181,15 @@ def _encode_request(self, request):
# ASCII also helps prevent CVE-2019-9740.
return request.encode('ascii')

def _validate_method(self, method):
"""Validate a method name for putrequest."""
# prevent http header injection
match = _contains_disallowed_method_pchar_re.search(method)
if match:
raise ValueError(
f"method can't contain control characters. {method!r} "
f"(found at least {match.group()!r})")

def _validate_path(self, url):
"""Validate a url for putrequest."""
# Prevent CVE-2019-9740.
Expand Down
22 changes: 22 additions & 0 deletions Lib/test/test_httplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
self.assertEqual(lines[3], "header: Second: val2")


class HttpMethodTests(TestCase):
def test_invalid_method_names(self):
methods = (
'GET\r',
'POST\n',
'PUT\n\r',
'POST\nValue',
'POST\nHOST:abc',
'GET\nrHost:abc\n',
'POST\rRemainder:\r',
'GET\rHOST:\n',
'\nPUT'
)

for method in methods:
with self.assertRaisesRegex(
ValueError, "method can't contain control characters"):
conn = client.HTTPConnection('example.com')
conn.sock = FakeSocket(None)
conn.request(method=method, url="/")


class TransferEncodingTest(TestCase):
expected_body = b"It's just a flesh wound"

Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Prevent http header injection by rejecting control characters in
http.client.putrequest(...).