You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bpo-43882 fix changed urllib.parse functions behavior from passing \r\n through to stripping them entirely. As a result, test_inject_space now fails:
_______________________________________________________________ test_inject_space ________________________________________________________________
tests/test_http.py:738: in test_inject_space
assert req.uri == "/?q=%20HTTP/1.1%0D%0Aignore-http:"
E AssertionError: assert '/?q=%20HTTP/1.1ignore-http:' == '/?q=%20HTTP/1...0Aignore-http:'
E - /?q=%20HTTP/1.1ignore-http:
E + /?q=%20HTTP/1.1%0D%0Aignore-http:
E ? ++++++
Given the following comment:
# "\r\nignore-http:" suffix is nuance for current server implementation
# please only pay attention to space after "?q="
maybe it would be sufficient to replace the assert with a .startswith("/?q=%20HTTP/1.1", maybe combined with not "\n" in ....
The text was updated successfully, but these errors were encountered:
However, since this is a security fix, we've also backported it to 3.9.4, 3.8.9 and earlier branches on Gentoo. So please don't rely on a specific version.
bpo-43882 fix changed
urllib.parse
functions behavior from passing\r\n
through to stripping them entirely. As a result,test_inject_space
now fails:Given the following comment:
maybe it would be sufficient to replace the assert with a
.startswith("/?q=%20HTTP/1.1"
, maybe combined withnot "\n" in ...
.The text was updated successfully, but these errors were encountered: