Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raise ValueError if method contains control characters #1800

Merged
merged 4 commits into from Feb 17, 2020
Merged

Raise ValueError if method contains control characters #1800

merged 4 commits into from Feb 17, 2020
+27 −0

Conversation

sethmlarson
Copy link
Member

Protects against BPO-39603 which was reported to CPython and Requests. The risk of this being exploited is minimal as attackers will rarely have direct control of the request method, but in that case header injection is possible in http.client, urllib3 and requests.

This change makes that not possible, unfortunately there's not really an exception that fits the bill for this error, but hopefully this situation is rare enough that we don't have to care.

pquentin
pquentin requested changes Feb 13, 2020
View reviewed changes
Copy link
Member

@pquentin pquentin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this!

test/with_dummyserver/test_poolmanager.py Outdated Show resolved Hide resolved
src/urllib3/connection.py Outdated Show resolved Hide resolved
pquentin
pquentin reviewed Feb 15, 2020
View reviewed changes
Copy link
Member

@pquentin pquentin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but do you know why tests are failing? It's not necessarily because of this PR

@sethmlarson
Copy link
Member Author

Yeah it's because putrequest() is now a member on HTTPConnection but the documentation in the Python source code is apparently not Sphinx-compatible so it's throwing an error. Tried to figure out how to make autosphinx skip a single member but to no avail yet. :/

@pquentin
Copy link
Member

The remaining failure is a strange macOS Python 2.7 bug that also happens on master. It claims that it does not find the coverage program. Investigating...

@pquentin
Copy link
Member

#1802 should fix the issue we're seeing here

@sethmlarson sethmlarson reopened this Feb 17, 2020
@sethmlarson
Copy link
Member Author

sethmlarson commented Feb 17, 2020
edited

Cycling the build, thanks for the fix in #1802 @pquentin!

@sethmlarson sethmlarson merged commit 1dd69c5 into urllib3:master Feb 17, 2020
@sethmlarson sethmlarson deleted the method-ctrl-chars branch February 17, 2020 21:34
alfredodeza pushed a commit to anchore/anchore-cli that referenced this pull request Oct 6, 2020
Update urllib3 to 1.25.9
71c50ec 
Fixes vulnerability reported and fixed with:

 urllib3/urllib3#1800

Signed-off-by: Alfredo Deza <adeza@anchore.com>
@alfredodeza alfredodeza mentioned this pull request Oct 6, 2020
Merged
alfredodeza pushed a commit to anchore/anchore-engine that referenced this pull request Oct 6, 2020
Fixes vulnerability reported and fixed with:
246d5f0 
 urllib3/urllib3#1800

Relevant changelog section in urllib3: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1259-2020-04-16

Same fix in anchore/anchore-cli#130

Signed-off-by: Alfredo Deza <adeza@anchore.com>
zhill pushed a commit to zhill/anchore-engine that referenced this pull request Oct 8, 2020
@zhill
Fixes vulnerability reported and fixed with:
4419e05 
 urllib3/urllib3#1800

Relevant changelog section in urllib3: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1259-2020-04-16

Same fix in anchore/anchore-cli#130

Signed-off-by: Alfredo Deza <adeza@anchore.com>
@omri374 omri374 mentioned this pull request Jan 3, 2021
Merged
Dobatymo pushed a commit to Dobatymo/urllib3 that referenced this pull request Mar 16, 2022
@sethmlarson
Raise ValueError if method contains control characters (urllib3#1800)
6d8ca47
@CxElks CxElks mentioned this pull request Apr 26, 2022
Open
@cx-rotemd cx-rotemd mentioned this pull request May 16, 2022
Open
@cx-tatianab cx-tatianab mentioned this pull request Feb 7, 2023
Open
@dorohayon dorohayon mentioned this pull request Feb 7, 2023
Open
@Yoavast Yoavast mentioned this pull request Feb 27, 2023
Open
@diogopcx diogopcx mentioned this pull request Jun 27, 2023
Open
@pedrompflopes pedrompflopes mentioned this pull request Aug 1, 2023
Open
@apcxtest apcxtest mentioned this pull request Aug 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pquentin pquentin Awaiting requested review from pquentin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sethmlarson @pquentin