git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Victor Stinner <victor.stinner@gmail.com>
	Tue, 21 May 2019 13:12:33 +0000 (15:12 +0200)
committer	GitHub <noreply@github.com>
	Tue, 21 May 2019 13:12:33 +0000 (15:12 +0200)
commit	bb8071a4cae5ab3fe321481dd3d73662ffb26052
tree	3d9275cd9c9c35aec5475768deae1e4a90b174b7	tree \| snapshot
parent	c841a30879b14e40db93bd4aca56bdcec7a83133	commit \| diff

bpo-30458: Disallow control chars in http URLs (GH-12755) (GH-13154) (GH-13315)

Disallow control chars in http URLs in urllib2.urlopen. This
addresses a potential security problem for applications that do not
sanity check their URLs where http request headers could be injected.

Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when
python is built without SSL to fix test failures.

Use httplib.InvalidURL instead of ValueError as the new error case's
exception. (GH-13044)

Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>

(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)

Notes on backport to Python 2.7:

* test_urllib tests urllib.urlopen() which quotes the URL and so is
not vulerable to HTTP Header Injection.
* Add tests to test_urllib2 on urllib2.urlopen().
* Reject non-ASCII characters: range 0x80-0xff.

Lib/httplib.py		diff \| blob \| blame \| history
Lib/test/test_urllib.py		diff \| blob \| blame \| history
Lib/test/test_urllib2.py		diff \| blob \| blame \| history
Lib/test/test_xmlrpc.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst	[new file with mode: 0644]	blob