New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Raise ValueError if method contains control characters #1800
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for tackling this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but do you know why tests are failing? It's not necessarily because of this PR
Yeah it's because |
The remaining failure is a strange macOS Python 2.7 bug that also happens on master. It claims that it does not find the coverage program. Investigating... |
#1802 should fix the issue we're seeing here |
Fixes vulnerability reported and fixed with: urllib3/urllib3#1800 Signed-off-by: Alfredo Deza <adeza@anchore.com>
urllib3/urllib3#1800 Relevant changelog section in urllib3: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1259-2020-04-16 Same fix in anchore/anchore-cli#130 Signed-off-by: Alfredo Deza <adeza@anchore.com>
urllib3/urllib3#1800 Relevant changelog section in urllib3: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1259-2020-04-16 Same fix in anchore/anchore-cli#130 Signed-off-by: Alfredo Deza <adeza@anchore.com>
Protects against BPO-39603 which was reported to CPython and Requests. The risk of this being exploited is minimal as attackers will rarely have direct control of the request method, but in that case header injection is possible in
http.client
,urllib3
andrequests
.This change makes that not possible, unfortunately there's not really an exception that fits the bill for this error, but hopefully this situation is rare enough that we don't have to care.