Check that absolute-path@request-target starts w /

Fixes #39 regression
cherrypy · Aug 6, 2017 · eee2204 · eee2204
1 parent 3c2bcf5
commit eee2204
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,3 +1,10 @@
+v5.8.2
+======
+
+- Fix #39 regression. Add HTTP request line check:
+  absolute URI path must start with a
+  forward slash ("/").
+
 v5.8.1
 ======
 

diff --git a/cheroot/server.py b/cheroot/server.py
@@ -732,8 +732,6 @@ def read_request_line(self):
             authority = uri
         else:
             try:
-                # https://tools.ietf.org/html/rfc7230#section-5.3.1 (origin_form) and
-                # https://tools.ietf.org/html/rfc7230#section-5.3.2 (absolute form)
                 if six.PY2:  # FIXME: Figure out better way to do this
                     # Ref: https://stackoverflow.com/a/196392/595220 (like this?)
                     """This is a dummy check for unicode in URI."""
@@ -743,11 +741,25 @@ def read_request_line(self):
                 self.simple_response('400 Bad Request', 'Malformed Request-URI')
                 return False
 
-            if (self.strict_mode and not self.proxy_mode) and (scheme or authority):
+            uri_is_absolute_form = (scheme or authority)
+
+            if (self.strict_mode and not self.proxy_mode) and uri_is_absolute_form:
+                # https://tools.ietf.org/html/rfc7230#section-5.3.2 (absolute form)
+                """Absolute URI is only allowed within proxies."""
                 self.simple_response('400 Bad Request',
                                      'Absolute URI not allowed if server is not a proxy.')
                 return False
 
+            if self.strict_mode and not uri.startswith(FORWARD_SLASH) and not uri_is_absolute_form:
+                # https://tools.ietf.org/html/rfc7230#section-5.3.1 (origin_form) and
+                """Path should start with a forward slash."""
+                self.simple_response('400 Bad Request',
+                                     'Invalid path in Request-URI: '
+                                     'request-target must contain origin-form '
+                                     'which starts with absolute-path '
+                                     '(URI starting with a slash "/").')
+                return False
+
             if fragment:
                 self.simple_response('400 Bad Request',
                                      'Illegal #fragment in Request-URI.')

diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py
@@ -56,8 +56,7 @@ def test_query_string_request(self):
         self.assertBody(b'test=True')
 
     def test_parse_uri(self):
-        for uri in ['/hello', '/query_string?test=True', 'hello',
-                    url_quote('привіт'),
+        for uri in ['/hello', '/query_string?test=True',
                     '/{0}?{1}={2}'.format(
                         *map(url_quote, ('Юххууу', 'ї', 'йо'))
                     )]:
@@ -82,6 +81,11 @@ def test_parse_uri_invalid_uri(self):
         assert response.fp.read(21) == b'Malformed Request-URI'
         c.close()
 
+        for uri in ['hello',
+                    url_quote('привіт')]:
+            self.getPage(uri)
+            self.assertStatus(HTTP_BAD_REQUEST)
+
     def test_parse_uri_absolute_uri(self):
         self.getPage('http://google.com/')
         self.assertStatus(HTTP_BAD_REQUEST)