File CVE-2020-26116-CRLF-injection.patch of Package python-urllib3
From d126a7654af03df4ec26ab1be4614279d6c1fec5 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Wed, 12 Feb 2020 20:03:54 -0600
Subject: [PATCH 1/4] Raise ValueError if method contains control characters
---
CHANGES.rst | 3 +++
test/with_dummyserver/test_connectionpool.py | 14 +++++++++++---
test/with_dummyserver/test_poolmanager.py | 2 +-
urllib3/connection.py | 16 +++++++++++++++-
4 files changed, 30 insertions(+), 5 deletions(-)
--- a/urllib3/connection.py
+++ b/urllib3/connection.py
@@ -59,7 +59,7 @@ port_by_scheme = {
# When it comes time to update this value as a part of regular maintenance
# (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2021, 1, 1)
_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
@@ -5,7 +5,6 @@ import sys
import unittest
import time
import warnings
-import pytest
import mock
@@ -23,11 +22,13 @@ from urllib3.exceptions import (
DecodeError,
MaxRetryError,
ReadTimeoutError,
+ ProtocolError,
NewConnectionError,
UnrewindableBodyError,
)
from urllib3.packages.six import b, u
from urllib3.packages.six.moves.urllib.parse import urlencode
+from urllib3.packages.six.moves.http_client import InvalidURL
from urllib3.util.retry import Retry, RequestHistory
from urllib3.util.timeout import Timeout
@@ -659,8 +660,9 @@ class TestConnectionPool(HTTPDummyServer
def test_invalid_method_not_allowed(self):
for char in [" ", "\r", "\n", "\x00"]:
- pool = HTTPConnectionPool(self.host, self.port)
- self.assertRaises(ValueError, pool.request, 'GET' + char, '/')
+ with self.assertRaises(ValueError):
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ pool.request("GET" + char, "/")
def test_source_address(self):
for addr, is_ipv6 in VALID_SOURCE_ADDRESSES:
@@ -678,9 +680,8 @@ class TestConnectionPool(HTTPDummyServer
for addr in INVALID_SOURCE_ADDRESSES:
pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False)
# FIXME: This assert flakes sometimes. Not sure why.
- self.assertRaises(NewConnectionError,
- pool.request,
- 'GET', '/source_address?{0}'.format(addr).replace(' ', '%20'))
+ with self.assertRaises((InvalidURL, ProtocolError)):
+ pool.request('GET', '/source_address?{0}'.format(addr))
def test_stream_keepalive(self):
x = 2
@@ -708,7 +709,7 @@ class TestConnectionPool(HTTPDummyServer
preload_content=False
)
response.read()
- with pytest.raises(StopIteration):
+ with self.assertRaises(StopIteration):
next(response.read_chunked())
def test_read_chunked_on_closed_response(self):
@@ -718,7 +719,7 @@ class TestConnectionPool(HTTPDummyServer
preload_content=False
)
response.close()
- with pytest.raises(StopIteration):
+ with self.assertRaises(StopIteration):
next(response.read_chunked())
def test_chunked_gzip(self):
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,9 @@ Changes
1.23 (2018-06-04)
-----------------
+* Raise ``ValueError`` if control characters are given in
+ the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800)
+
* Allow providing a list of headers to strip from requests when redirecting
to a different host. Defaults to the ``Authorization`` header. Different
headers can be set via ``Retry.remove_headers_on_redirect``. (Issue #1316)