bpo-39603: Prevent header injection in http methods

[amiremohamadi]

reject control chars in http method in http.client.putrequest to prevent http header injection

https://bugs.python.org/issue39603

Automerge-Triggered-By: @gvanrossum

[codecov]

Codecov Report

Merging #18485 into master will increase coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master   #18485     +/-   ##
=========================================
  Coverage   82.12%   82.12%             
=========================================
  Files        1955     1955             
  Lines      588958   583810   -5148     
  Branches    44428    44449     +21     
=========================================
- Hits       483663   479453   -4210     
+ Misses      95652    94713    -939     
- Partials     9643     9644      +1     

Impacted Files	Coverage Δ
Lib/distutils/tests/test_bdist_rpm.py	30.00% <0.00%> (-65.00%)	⬇️
Lib/distutils/command/bdist_rpm.py	7.63% <0.00%> (-56.88%)	⬇️
Lib/test/test_urllib2net.py	76.92% <0.00%> (-13.85%)	⬇️
Lib/test/test_smtpnet.py	78.57% <0.00%> (-7.15%)	⬇️
Lib/ftplib.py	63.85% <0.00%> (-6.06%)	⬇️
Lib/test/test_ftplib.py	87.11% <0.00%> (-4.72%)	⬇️
Tools/scripts/db2pickle.py	17.82% <0.00%> (-3.97%)	⬇️
Tools/scripts/pickle2db.py	16.98% <0.00%> (-3.78%)	⬇️
Lib/test/test_socket.py	71.94% <0.00%> (-3.77%)	⬇️
Lib/test/test_asyncio/test_base_events.py	91.84% <0.00%> (-3.30%)	⬇️
... and 343 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b138dd2...5d9825f. Read the comment docs.

[amiremohamadi]

Should I write some tests??!

[alex]

This looks correct to me, however I'm far from an expert in the http module, so I'd appreciate a second review.

[jaraco]

This looks good to me. By providing an _validate method, it enables subclasses an escape hatch to suppress or customize the validation.

[gvanrossum]

So this basically disallows control characters. It still allows spaces, which seems questionable, and non-ASCII bytes, which seems even more questionable (though probably disallowed by the ASCII encoding requirement), as well as ASCII punctuation characters (which I'm not sure would be useful). Could we just match the entire verb against r"\A\w+\Z"? Or are there use cases for having punctuation or spaces in the HTTP verb( method)?

[gvanrossum]

Placing the validation right behind this comment is somewhat misleading -- the comment explains the assignment, but the validation is not just for the assignment -- its primary use is for the construction of the request variable a few lines nelow (L1099 in this version). I recommend moving this up and placing blank lines around it.

[amiremohamadi]

So this basically disallows control characters. It still allows spaces, which seems questionable, and non-ASCII bytes, which seems even more questionable (though probably disallowed by the ASCII encoding requirement), as well as ASCII punctuation characters (which I'm not sure would be useful). Could we just match the entire verb against r"\A\w+\Z"? Or are there use cases for having punctuation or spaces in the HTTP verb( method)?

@gvanrossum Thank you for the review!
I'm not sure but _encode_request method (L1102) encodes the request (including method) to ASCII. So do we need to restrict non-ASCII characters?

[gvanrossum]

Thanks. I'm approving this. The security issue is fixed by this, if people want to screw around with weird verbs I guess the server will just reject it.

[miss-islington]

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

[miss-islington]

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

[miss-islington]

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

[miss-islington]

Sorry, I can't merge this PR. Reason: Base branch was modified. Review and try the merge again..

[bedevere-bot]

GH-21537 is a backport of this pull request to the 3.8 branch.

[bedevere-bot]

GH-21538 is a backport of this pull request to the 3.7 branch.

[bedevere-bot]

GH-21539 is a backport of this pull request to the 3.6 branch.

[orsenthil]

Thank you, everyone - who got involved with review of this patch. The review comments that were mentioned in bpo ticket seems to have been addressed. The changes look good to me.

[vstinner]

I created a backport to 3.5, can someone please review it? PR #21946.