Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.5] bpo-39603: Prevent header injection in http methods (GH-18485) #21946

Merged
merged 1 commit into from
Sep 4, 2020
Merged

[3.5] bpo-39603: Prevent header injection in http methods (GH-18485) #21946

merged 1 commit into from
Sep 4, 2020

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Aug 24, 2020
edited by bedevere-bot

reject control chars in http method in http.client.putrequest to prevent http header injection

(cherry picked from commit 8ca8a2e)

https://bugs.python.org/issue39603

@amiremohamadi @vstinner
bpo-39603: Prevent header injection in http methods (GH-18485)
20d6047 
reject control chars in http method in http.client.putrequest to prevent http header injection

(cherry picked from commit 8ca8a2e)
@vstinner vstinner mentioned this pull request Aug 24, 2020
Merged
@vstinner
Copy link
Member Author

Notes on the backport:

  • I replaced f-string with %r formatting.
  • I modified test_main() to include HttpMethodTests test case.

jaraco
jaraco approved these changes Aug 24, 2020
View reviewed changes
Copy link
Member

@jaraco jaraco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

orsenthil
orsenthil approved these changes Aug 24, 2020
View reviewed changes
Copy link
Member

@orsenthil orsenthil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@vstinner
Copy link
Member Author

@larryhastings: The CI passed and 3 core dev approved the PR. Would you mind to merge it?

@larryhastings larryhastings merged commit 524b8de into python:3.5 Sep 4, 2020
@bedevere-bot
Copy link

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!

@larryhastings
Copy link
Contributor

Thanks for the backport! This miiiiight be the last checkin for 3.5 ever... we'll see!

@vstinner vstinner deleted the fix_http_method_35 branch September 4, 2020 09:44
@stratakis stratakis mentioned this pull request Sep 29, 2020
Merged
encukou pushed a commit to encukou/cpython that referenced this pull request Sep 30, 2020
@amiremohamadi @encukou
00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
2da5f0e 
00354 #
Reject control chars in HTTP method in httplib.putrequest to prevent
HTTP header injection

Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
- https://bugs.python.org/issue39603
- python#18485 (3.10)
- python#21946 (3.5)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request Apr 19, 2021
@amiremohamadi @hroncok
00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
4190ca2 
00354 #
Reject control chars in HTTP method in httplib.putrequest to prevent
HTTP header injection

Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
- https://bugs.python.org/issue39603
- python#18485 (3.10)
- python#21946 (3.5)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request May 19, 2021
@amiremohamadi @hroncok
00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
4c025e5 
00354 #
Reject control chars in HTTP method in httplib.putrequest to prevent
HTTP header injection

Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
- https://bugs.python.org/issue39603
- python#18485 (3.10)
- python#21946 (3.5)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Jul 18, 2022
@amiremohamadi @stratakis
00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
b8ea6b6 
00354 #
Reject control chars in HTTP method in httplib.putrequest to prevent
HTTP header injection

Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
- https://bugs.python.org/issue39603
- python#18485 (3.10)
- python#21946 (3.5)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

@jaraco jaraco jaraco approved these changes

@orsenthil orsenthil orsenthil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@vstinner @bedevere-bot @larryhastings @alex @jaraco @orsenthil @the-knights-who-say-ni @amiremohamadi