Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:chajain
python-urllib3
CVE-2020-26116-CRLF-injection.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-26116-CRLF-injection.patch of Package python-urllib3
From d126a7654af03df4ec26ab1be4614279d6c1fec5 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <sethmichaellarson@gmail.com> Date: Wed, 12 Feb 2020 20:03:54 -0600 Subject: [PATCH 1/4] Raise ValueError if method contains control characters --- CHANGES.rst | 3 +++ test/with_dummyserver/test_connectionpool.py | 14 +++++++++++--- test/with_dummyserver/test_poolmanager.py | 2 +- urllib3/connection.py | 16 +++++++++++++++- 4 files changed, 30 insertions(+), 5 deletions(-) --- a/urllib3/connection.py +++ b/urllib3/connection.py @@ -59,7 +59,7 @@ port_by_scheme = { # When it comes time to update this value as a part of regular maintenance # (ie test_recent_date is failing) update it to ~6 months before the current date. -RECENT_DATE = datetime.date(2019, 1, 1) +RECENT_DATE = datetime.date(2021, 1, 1) _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") --- a/test/with_dummyserver/test_connectionpool.py +++ b/test/with_dummyserver/test_connectionpool.py @@ -5,7 +5,6 @@ import sys import unittest import time import warnings -import pytest import mock @@ -23,11 +22,13 @@ from urllib3.exceptions import ( DecodeError, MaxRetryError, ReadTimeoutError, + ProtocolError, NewConnectionError, UnrewindableBodyError, ) from urllib3.packages.six import b, u from urllib3.packages.six.moves.urllib.parse import urlencode +from urllib3.packages.six.moves.http_client import InvalidURL from urllib3.util.retry import Retry, RequestHistory from urllib3.util.timeout import Timeout @@ -659,8 +660,9 @@ class TestConnectionPool(HTTPDummyServer def test_invalid_method_not_allowed(self): for char in [" ", "\r", "\n", "\x00"]: - pool = HTTPConnectionPool(self.host, self.port) - self.assertRaises(ValueError, pool.request, 'GET' + char, '/') + with self.assertRaises(ValueError): + with HTTPConnectionPool(self.host, self.port) as pool: + pool.request("GET" + char, "/") def test_source_address(self): for addr, is_ipv6 in VALID_SOURCE_ADDRESSES: @@ -678,9 +680,8 @@ class TestConnectionPool(HTTPDummyServer for addr in INVALID_SOURCE_ADDRESSES: pool = HTTPConnectionPool(self.host, self.port, source_address=addr, retries=False) # FIXME: This assert flakes sometimes. Not sure why. - self.assertRaises(NewConnectionError, - pool.request, - 'GET', '/source_address?{0}'.format(addr).replace(' ', '%20')) + with self.assertRaises((InvalidURL, ProtocolError)): + pool.request('GET', '/source_address?{0}'.format(addr)) def test_stream_keepalive(self): x = 2 @@ -708,7 +709,7 @@ class TestConnectionPool(HTTPDummyServer preload_content=False ) response.read() - with pytest.raises(StopIteration): + with self.assertRaises(StopIteration): next(response.read_chunked()) def test_read_chunked_on_closed_response(self): @@ -718,7 +719,7 @@ class TestConnectionPool(HTTPDummyServer preload_content=False ) response.close() - with pytest.raises(StopIteration): + with self.assertRaises(StopIteration): next(response.read_chunked()) def test_chunked_gzip(self): --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,6 +4,9 @@ Changes 1.23 (2018-06-04) ----------------- +* Raise ``ValueError`` if control characters are given in + the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800) + * Allow providing a list of headers to strip from requests when redirecting to a different host. Defaults to the ``Authorization`` header. Different headers can be set via ``Retry.remove_headers_on_redirect``. (Issue #1316)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor