Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
python-urllib3
CVE-2020-26116-CRLF-injection.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-26116-CRLF-injection.patch of Package python-urllib3
From d126a7654af03df4ec26ab1be4614279d6c1fec5 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <sethmichaellarson@gmail.com> Date: Wed, 12 Feb 2020 20:03:54 -0600 Subject: [PATCH 1/4] Raise ValueError if method contains control characters --- CHANGES.rst | 3 +++ test/with_dummyserver/test_connectionpool.py | 13 ++++++++++--- urllib3/connection.py | 16 +++++++++++++++- 3 files changed, 28 insertions(+), 4 deletions(-) --- a/urllib3/connection.py +++ b/urllib3/connection.py @@ -1,4 +1,5 @@ from __future__ import absolute_import +import re import datetime import logging import os @@ -59,7 +60,9 @@ port_by_scheme = { # When updating RECENT_DATE, move it to # within two years of the current date, and not # less than 6 months ago. -RECENT_DATE = datetime.date(2019, 1, 1) +RECENT_DATE = datetime.date(2021, 1, 1) + +_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") class DummyConnection(object): @@ -166,6 +169,17 @@ class HTTPConnection(_HTTPConnection, ob conn = self._new_conn() self._prepare_conn(conn) + def putrequest(self, method, url, *args, **kwargs): + """Send a request to the server""" + match = _CONTAINS_CONTROL_CHAR_RE.search(method) + if match: + raise ValueError( + "Method cannot contain non-token characters %r (found at least %r)" + % (method, match.group()) + ) + + return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) + def request_chunked(self, method, url, body=None, headers=None): """ Alternative to the common request method, which sends the --- a/test/with_dummyserver/test_connectionpool.py +++ b/test/with_dummyserver/test_connectionpool.py @@ -27,6 +27,7 @@ from urllib3.exceptions import ( ) from urllib3.packages.six import b, u from urllib3.packages.six.moves.urllib.parse import urlencode +from urllib3.packages.six.moves.http_client import InvalidURL from urllib3.util.retry import Retry, RequestHistory from urllib3.util.timeout import Timeout @@ -672,9 +673,8 @@ class TestConnectionPool(HTTPDummyServer for addr in INVALID_SOURCE_ADDRESSES: pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False) # FIXME: This assert flakes sometimes. Not sure why. - self.assertRaises(NewConnectionError, - pool.request, - 'GET', '/source_address?{0}'.format(addr)) + with self.assertRaises((InvalidURL, ProtocolError)): + pool.request('GET', '/source_address?{0}'.format(addr)) def test_stream_keepalive(self): x = 2 @@ -737,6 +737,13 @@ class TestConnectionPool(HTTPDummyServer response = pool.request('GET', "http://LoCaLhOsT:%d/" % self.port) self.assertEqual(response.status, 200) + def test_invalid_method_not_allowed(self): + for char in [" ", "\r", "\n", "\x00"]: + with self.assertRaises(ValueError): + with HTTPConnectionPool(self.host, self.port) as pool: + pool.request("GET" + char, "/") + + class TestRetry(HTTPDummyServerTestCase): def setUp(self): --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,6 +1,9 @@ Changes ======= +* Raise ``ValueError`` if control characters are given in + the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800) + * Allow providing a list of headers to strip from requests when redirecting to a different host. Defaults to the ``Authorization`` header. Different headers can be set via ``Retry.remove_headers_on_redirect``. (Issue #1316)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor