diff options
author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2020-03-14 15:35:52 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-14 18:35:52 -0400 |
commit | 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba (patch) | |
tree | 6fc01adf47639d9ff592409882f6fabee3a549aa /Lib/http/client.py | |
parent | 6b6756f1283a87091c6186e70b544d4789e12c51 (diff) | |
download | cpython-git-83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba.tar.gz |
bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
Add host validation for control characters for more CVE-2019-18348 protection.
(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Diffstat (limited to 'Lib/http/client.py')
-rw-r--r-- | Lib/http/client.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py index d4821f1a96..c0ac7db6f4 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -858,6 +858,8 @@ class HTTPConnection: (self.host, self.port) = self._get_hostport(host, port) + self._validate_host(self.host) + # This is stored as an instance variable to allow unit # tests to replace it with a suitable mockup self._create_connection = socket.create_connection @@ -1215,6 +1217,14 @@ class HTTPConnection: raise InvalidURL(f"URL can't contain control characters. {url!r} " f"(found at least {match.group()!r})") + def _validate_host(self, host): + """Validate a host so it doesn't contain control characters.""" + # Prevent CVE-2019-18348. + match = _contains_disallowed_url_pchar_re.search(host) + if match: + raise InvalidURL(f"URL can't contain control characters. {host!r} " + f"(found at least {match.group()!r})") + def putheader(self, header, *values): """Send a request header line to the server. |