summaryrefslogtreecommitdiff
path: root/Lib/http/client.py
diff options
context:
space:
mode:
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2020-03-14 15:35:52 -0700
committerGitHub <noreply@github.com>2020-03-14 18:35:52 -0400
commit83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba (patch)
tree6fc01adf47639d9ff592409882f6fabee3a549aa /Lib/http/client.py
parent6b6756f1283a87091c6186e70b544d4789e12c51 (diff)
downloadcpython-git-83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba.tar.gz
bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Diffstat (limited to 'Lib/http/client.py')
-rw-r--r--Lib/http/client.py10
1 files changed, 10 insertions, 0 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py
index d4821f1a96..c0ac7db6f4 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -858,6 +858,8 @@ class HTTPConnection:
(self.host, self.port) = self._get_hostport(host, port)
+ self._validate_host(self.host)
+
# This is stored as an instance variable to allow unit
# tests to replace it with a suitable mockup
self._create_connection = socket.create_connection
@@ -1215,6 +1217,14 @@ class HTTPConnection:
raise InvalidURL(f"URL can't contain control characters. {url!r} "
f"(found at least {match.group()!r})")
+ def _validate_host(self, host):
+ """Validate a host so it doesn't contain control characters."""
+ # Prevent CVE-2019-18348.
+ match = _contains_disallowed_url_pchar_re.search(host)
+ if match:
+ raise InvalidURL(f"URL can't contain control characters. {host!r} "
+ f"(found at least {match.group()!r})")
+
def putheader(self, header, *values):
"""Send a request header line to the server.