diff options
| author | AMIR <31338382+amiremohamadi@users.noreply.github.com> | 2020-07-19 00:46:10 +0430 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-18 13:16:10 -0700 |
| commit | 8ca8a2e8fb068863c1138f07e3098478ef8be12e (patch) | |
| tree | bd8512b01b0ce918d4678c0c848418a4ab3f00a1 /Lib/test/test_httplib.py | |
| parent | 9b01c598ca2576a1056816e85dd84bf5f9c74688 (diff) | |
| download | cpython-git-8ca8a2e8fb068863c1138f07e3098478ef8be12e.tar.gz | |
bpo-39603: Prevent header injection in http methods (GH-18485)
reject control chars in http method in http.client.putrequest to prevent http header injection
Diffstat (limited to 'Lib/test/test_httplib.py')
| -rw-r--r-- | Lib/test/test_httplib.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index 1ac31bf2a8..3431bb80ea 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -368,6 +368,28 @@ class HeaderTests(TestCase): self.assertEqual(lines[3], "header: Second: val2") +class HttpMethodTests(TestCase): + def test_invalid_method_names(self): + methods = ( + 'GET\r', + 'POST\n', + 'PUT\n\r', + 'POST\nValue', + 'POST\nHOST:abc', + 'GET\nrHost:abc\n', + 'POST\rRemainder:\r', + 'GET\rHOST:\n', + '\nPUT' + ) + + for method in methods: + with self.assertRaisesRegex( + ValueError, "method can't contain control characters"): + conn = client.HTTPConnection('example.com') + conn.sock = FakeSocket(None) + conn.request(method=method, url="/") + + class TransferEncodingTest(TestCase): expected_body = b"It's just a flesh wound" |