1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: AMIR <31338382+amiremohamadi@users.noreply.github.com>
3 Date: Sun, 19 Jul 2020 00:46:10 +0430
4 Subject: [PATCH]
5 00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
6
7 00354 #
8 Reject control chars in HTTP method in httplib.putrequest to prevent
9 HTTP header injection
10
11 Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
12 - https://bugs.python.org/issue39603
13 - https://github.com/python/cpython/pull/18485 (3.10)
14 - https://github.com/python/cpython/pull/21946 (3.5)
15
16 Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
17 ---
18 Lib/httplib.py | 16 +++++++++++++
19 Lib/test/test_httplib.py | 23 +++++++++++++++++++
20 .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
21 3 files changed, 41 insertions(+)
22 create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
23
24 diff --git a/Lib/httplib.py b/Lib/httplib.py
25 index fcc4152aaf2..a63677477d5 100644
26 --- a/Lib/httplib.py
27 +++ b/Lib/httplib.py
28 @@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
29 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
30 # We are more lenient for assumed real world compatibility purposes.
31
32 +# These characters are not allowed within HTTP method names
33 +# to prevent http header injection.
34 +_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
35 +
36 # We always set the Content-Length header for these methods because some
37 # servers will otherwise respond with a 411
38 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
39 @@ -935,6 +939,8 @@ class HTTPConnection:
40 else:
41 raise CannotSendRequest()
42
43 + self._validate_method(method)
44 +
45 # Save the method for use later in the response phase
46 self._method = method
47
48 @@ -1020,6 +1026,16 @@ class HTTPConnection:
49 # On Python 2, request is already encoded (default)
50 return request
51
52 + def _validate_method(self, method):
53 + """Validate a method name for putrequest."""
54 + # prevent http header injection
55 + match = _contains_disallowed_method_pchar_re.search(method)
56 + if match:
57 + raise ValueError(
58 + "method can't contain control characters. %r "
59 + "(found at least %r)"
60 + % (method, match.group()))
61 +
62 def _validate_path(self, url):
63 """Validate a url for putrequest."""
64 # Prevent CVE-2019-9740.
65 diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
66 index d8a57f73530..e295bb796ec 100644
67 --- a/Lib/test/test_httplib.py
68 +++ b/Lib/test/test_httplib.py
69 @@ -385,6 +385,28 @@ class HeaderTests(TestCase):
70 conn.putheader(name, value)
71
72
73 +class HttpMethodTests(TestCase):
74 + def test_invalid_method_names(self):
75 + methods = (
76 + 'GET\r',
77 + 'POST\n',
78 + 'PUT\n\r',
79 + 'POST\nValue',
80 + 'POST\nHOST:abc',
81 + 'GET\nrHost:abc\n',
82 + 'POST\rRemainder:\r',
83 + 'GET\rHOST:\n',
84 + '\nPUT'
85 + )
86 +
87 + for method in methods:
88 + with self.assertRaisesRegexp(
89 + ValueError, "method can't contain control characters"):
90 + conn = httplib.HTTPConnection('example.com')
91 + conn.sock = FakeSocket(None)
92 + conn.request(method=method, url="/")
93 +
94 +
95 class BasicTest(TestCase):
96 def test_status_lines(self):
97 # Test HTTP status lines
98 @@ -1010,6 +1032,7 @@ class TunnelTests(TestCase):
99 @test_support.reap_threads
100 def test_main(verbose=None):
101 test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
102 + HttpMethodTests,
103 HTTPTest, HTTPSTest, SourceAddressTest,
104 TunnelTests)
105
106 diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
107 new file mode 100644
108 index 00000000000..990affc3edd
109 --- /dev/null
110 +++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
111 @@ -0,0 +1,2 @@
112 +Prevent http header injection by rejecting control characters in
113 +http.client.putrequest(...).
|
