Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
After the python3 fix for CVE-2019-9740 test_null_bytes fails #1781
I'm submitting a ...
Do you want to request a feature or report a bug?
What is the current behavior?
Throwing an exception here is actually completely correct behavior after fixing python/cpython#13044 (CVE-2019-9740).
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
What is the expected behavior?
What is the motivation / use case for changing the behavior?
Please tell us about your environment:
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)
This is not because of the urllib or urllib3.
CPython upstream has patched
The test tries to inject a know malicious sequence into the Request-Line of a test HTTP request and expects the server to reply with an error. There's a similar test in Cheroot as well (https://github.com/cherrypy/cheroot/blob/7558014/cheroot/test/test_core.py#L137-L164).
But with the latest CPython it fails to create such a request because they forbid it now.
FTR here's an instance of this error in the CI: https://travis-ci.org/cherrypy/cherrypy/jobs/549122435#L558
Fixes cherrypy#1781 Recent versions of CPython have gotten more picky about the sorts of paths callers can pass to http.client's putrequest. Since we don't have any control over what clients might send, though, keep coverage of the invalid-request behavior by just opening up a socket and sending some bytes. See also: https://bugs.python.org/issue38216