bpo-39603: Prevent header injection in http methods (GH-18485) reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>

commit: 27b811057ff5e93b68798e278c88358123efdc71 [log] [tgz]
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Sat Jul 18 13:41:55 2020 -0700
committer: GitHub <noreply@github.com> Sat Jul 18 13:41:55 2020 -0700
tree: 14a2e7e3ae4b8e17e8e577d9c503d18920f89f4b
parent: f92544483fc724b7e9ac11b2ee86b38e069cc70f [diff] [blame]
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index e95487b..ed12589 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py

@@ -365,6 +365,28 @@
         self.assertEqual(lines[3], "header: Second: val2")
 
 
+class HttpMethodTests(TestCase):
+    def test_invalid_method_names(self):
+        methods = (
+            'GET\r',
+            'POST\n',
+            'PUT\n\r',
+            'POST\nValue',
+            'POST\nHOST:abc',
+            'GET\nrHost:abc\n',
+            'POST\rRemainder:\r',
+            'GET\rHOST:\n',
+            '\nPUT'
+        )
+
+        for method in methods:
+            with self.assertRaisesRegex(
+                    ValueError, "method can't contain control characters"):
+                conn = client.HTTPConnection('example.com')
+                conn.sock = FakeSocket(None)
+                conn.request(method=method, url="/")
+
+
 class TransferEncodingTest(TestCase):
     expected_body = b"It's just a flesh wound"
commit	27b811057ff5e93b68798e278c88358123efdc71	[log] [tgz]
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	Sat Jul 18 13:41:55 2020 -0700
committer	GitHub <noreply@github.com>	Sat Jul 18 13:41:55 2020 -0700
tree	14a2e7e3ae4b8e17e8e577d9c503d18920f89f4b
parent	f92544483fc724b7e9ac11b2ee86b38e069cc70f [diff] [blame]