File CVE-2020-26116-CRLF-injection.patch of Package python-urllib3
From d126a7654af03df4ec26ab1be4614279d6c1fec5 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Wed, 12 Feb 2020 20:03:54 -0600
Subject: [PATCH 1/4] Raise ValueError if method contains control characters
---
CHANGES.rst | 3 +++
test/with_dummyserver/test_connectionpool.py | 13 ++++++++-----
test/with_dummyserver/test_poolmanager.py | 2 +-
urllib3/connection.py | 15 ++++++++++++++-
4 files changed, 26 insertions(+), 7 deletions(-)
--- a/urllib3/connection.py
+++ b/urllib3/connection.py
@@ -60,7 +60,7 @@ port_by_scheme = {
# When updating RECENT_DATE, move it to
# within two years of the current date, and not
# less than 6 months ago.
-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2021, 1, 1)
_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
@@ -22,11 +22,13 @@ from urllib3.exceptions import (
DecodeError,
MaxRetryError,
ReadTimeoutError,
+ ProtocolError,
NewConnectionError,
UnrewindableBodyError,
)
from urllib3.packages.six import b, u
from urllib3.packages.six.moves.urllib.parse import urlencode
+from urllib3.packages.six.moves.http_client import InvalidURL
from urllib3.util.retry import Retry, RequestHistory
from urllib3.util.timeout import Timeout
@@ -658,8 +660,10 @@ class TestConnectionPool(HTTPDummyServer
def test_invalid_method_not_allowed(self):
for char in [" ", "\r", "\n", "\x00"]:
- pool = HTTPConnectionPool(self.host, self.port)
- self.assertRaises(ValueError, pool.request, 'GET' + char, '/')
+ with self.assertRaises(ValueError):
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ pool.request("GET" + char, "/")
+
def test_source_address(self):
for addr, is_ipv6 in VALID_SOURCE_ADDRESSES:
@@ -677,9 +681,8 @@ class TestConnectionPool(HTTPDummyServer
for addr in INVALID_SOURCE_ADDRESSES:
pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False)
# FIXME: This assert flakes sometimes. Not sure why.
- self.assertRaises(NewConnectionError,
- pool.request,
- 'GET', '/source_address?{0}'.format(addr).replace(' ', '%20'))
+ with self.assertRaises((InvalidURL, NewConnectionError, ProtocolError)):
+ pool.request('GET', '/source_address?{0}'.format(addr))
def test_stream_keepalive(self):
x = 2
--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
@@ -1,7 +1,7 @@
import unittest
import json
-from nose.plugins.skip import SkipTest
+from unittest import SkipTest
from dummyserver.server import HAS_IPV6
from dummyserver.testcase import (HTTPDummyServerTestCase,
IPv6HTTPDummyServerTestCase)
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,9 @@
Changes
=======
+* Raise ``ValueError`` if control characters are given in
+ the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800)
+
* Allow providing a list of headers to strip from requests when redirecting
to a different host. Defaults to the ``Authorization`` header. Different
headers can be set via ``Retry.remove_headers_on_redirect``. (Issue #1316)
