diff options
| author | Gregory P. Smith <greg@krypto.org> | 2022-12-05 14:27:55 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-05 14:27:55 -0800 |
| commit | 7e29398407dbd53b714702abb89aa2fd7baca48a (patch) | |
| tree | 58e6a710bc11ed6acce0fa8b777110818cf9be42 | |
| parent | e9e63ad8653296c199446d6f7cdad889e492a34e (diff) | |
| download | cpython-git-7e29398407dbd53b714702abb89aa2fd7baca48a.tar.gz | |
gh-100001: Also escape \s in http.server log messages. (#100038)
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was. Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
| -rw-r--r-- | Lib/http/server.py | 1 | ||||
| -rw-r--r-- | Lib/test/test_httpservers.py | 2 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2022-12-05-13-40-15.gh-issue-100001.78ReYp.rst | 5 |
3 files changed, 8 insertions, 0 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index 3b5bd9eb01..8acabff605 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -566,6 +566,7 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler): # https://en.wikipedia.org/wiki/List_of_Unicode_characters#Control_codes _control_char_table = str.maketrans( {c: fr'\x{c:02x}' for c in itertools.chain(range(0x20), range(0x7f,0xa0))}) + _control_char_table[ord('\\')] = r'\\' def log_message(self, format, *args): """Log an arbitrary message. diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index b0e2d713e3..ca078862cc 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -1000,6 +1000,7 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase): log_message(self.handler, '/\033bar\000\033') log_message(self.handler, '/spam %s.', 'a') log_message(self.handler, '/spam %s.', '\033\x7f\x9f\xa0beans') + log_message(self.handler, '"GET /foo\\b"ar\007 HTTP/1.0"') stderr = fake_stderr.getvalue() self.assertNotIn('\033', stderr) # non-printable chars are caught. self.assertNotIn('\000', stderr) # non-printable chars are caught. @@ -1008,6 +1009,7 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase): self.assertIn(r'/\x1bbar\x00\x1b', lines[1]) self.assertIn('/spam a.', lines[2]) self.assertIn('/spam \\x1b\\x7f\\x9f\xa0beans.', lines[3]) + self.assertIn(r'"GET /foo\\b"ar\x07 HTTP/1.0"', lines[4]) def test_http_1_1(self): result = self.send_typical_request(b'GET / HTTP/1.1\r\n\r\n') diff --git a/Misc/NEWS.d/next/Library/2022-12-05-13-40-15.gh-issue-100001.78ReYp.rst b/Misc/NEWS.d/next/Library/2022-12-05-13-40-15.gh-issue-100001.78ReYp.rst new file mode 100644 index 0000000000..e305352c7a --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-12-05-13-40-15.gh-issue-100001.78ReYp.rst @@ -0,0 +1,5 @@ +Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so +that it is technically possible to parse the line and reconstruct what the +original data was. Without this a \xHH is ambiguious as to if it is a hex +replacement we put in or the characters r"\x" came through in the original +request line. |