diff options
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/http/client.py | 2 | ||||
| -rw-r--r-- | Lib/test/test_urllib.py | 10 |
2 files changed, 7 insertions, 5 deletions
diff --git a/Lib/http/client.py b/Lib/http/client.py index 99d6a68cf4..f71a062d2b 100644 --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -1091,7 +1091,7 @@ class HTTPConnection: url = '/' # Prevent CVE-2019-9740. if match := _contains_disallowed_url_pchar_re.search(url): - raise ValueError(f"URL can't contain control characters. {url!r} " + raise InvalidURL(f"URL can't contain control characters. {url!r} " f"(found at least {match.group()!r})") request = '%s %s %s' % (method, url, self._http_vsn_str) diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py index c5b23f935b..7214492eca 100644 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -343,11 +343,12 @@ class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin): # calls urllib.parse.quote() on the URL which makes all of the # above attempts at injection within the url _path_ safe. escaped_char_repr = repr(char).replace('\\', r'\\') + InvalidURL = http.client.InvalidURL with self.assertRaisesRegex( - ValueError, f"contain control.*{escaped_char_repr}"): + InvalidURL, f"contain control.*{escaped_char_repr}"): urllib.request.urlopen(f"http:{schemeless_url}") with self.assertRaisesRegex( - ValueError, f"contain control.*{escaped_char_repr}"): + InvalidURL, f"contain control.*{escaped_char_repr}"): urllib.request.urlopen(f"https:{schemeless_url}") # This code path quotes the URL so there is no injection. resp = urlopen(f"http:{schemeless_url}") @@ -367,10 +368,11 @@ class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin): # urlopen uses FancyURLOpener which goes via a codepath that # calls urllib.parse.quote() on the URL which makes all of the # above attempts at injection within the url _path_ safe. + InvalidURL = http.client.InvalidURL with self.assertRaisesRegex( - ValueError, r"contain control.*\\r.*(found at least . .)"): + InvalidURL, r"contain control.*\\r.*(found at least . .)"): urllib.request.urlopen(f"http:{schemeless_url}") - with self.assertRaisesRegex(ValueError, r"contain control.*\\n"): + with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"): urllib.request.urlopen(f"https:{schemeless_url}") # This code path quotes the URL so there is no injection. resp = urlopen(f"http:{schemeless_url}") |