00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patchfedora-2.7.18-6fedora-2.7

00354 #
Reject control chars in HTTP method in httplib.putrequest to prevent
HTTP header injection

Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
- https://bugs.python.org/issue39603
- https://github.com/python/cpython/pull/18485 (3.10)
- https://github.com/python/cpython/pull/21946 (3.5)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index d8a57f7353..e295bb796e 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -385,6 +385,28 @@ class HeaderTests(TestCase):
                 conn.putheader(name, value)
 
 
+class HttpMethodTests(TestCase):
+    def test_invalid_method_names(self):
+        methods = (
+            'GET\r',
+            'POST\n',
+            'PUT\n\r',
+            'POST\nValue',
+            'POST\nHOST:abc',
+            'GET\nrHost:abc\n',
+            'POST\rRemainder:\r',
+            'GET\rHOST:\n',
+            '\nPUT'
+        )
+
+        for method in methods:
+            with self.assertRaisesRegexp(
+                    ValueError, "method can't contain control characters"):
+                conn = httplib.HTTPConnection('example.com')
+                conn.sock = FakeSocket(None)
+                conn.request(method=method, url="/")
+
+
 class BasicTest(TestCase):
     def test_status_lines(self):
         # Test HTTP status lines
@@ -1010,6 +1032,7 @@ class TunnelTests(TestCase):
 @test_support.reap_threads
 def test_main(verbose=None):
     test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
+                              HttpMethodTests,
                               HTTPTest, HTTPSTest, SourceAddressTest,
                               TunnelTests)