bpo-39603: Prevent header injection in http methods (GH-18485) reject control chars in http method in http.client.putrequest to prevent http header injection

commit: 8ca8a2e8fb068863c1138f07e3098478ef8be12e [log] [tgz]
author: AMIR <31338382+amiremohamadi@users.noreply.github.com> Sun Jul 19 00:46:10 2020 +0430
committer: GitHub <noreply@github.com> Sat Jul 18 13:16:10 2020 -0700
tree: bd8512b01b0ce918d4678c0c848418a4ab3f00a1
parent: 9b01c598ca2576a1056816e85dd84bf5f9c74688 [diff] [blame]
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 1ac31bf..3431bb8 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py

@@ -368,6 +368,28 @@
         self.assertEqual(lines[3], "header: Second: val2")
 
 
+class HttpMethodTests(TestCase):
+    def test_invalid_method_names(self):
+        methods = (
+            'GET\r',
+            'POST\n',
+            'PUT\n\r',
+            'POST\nValue',
+            'POST\nHOST:abc',
+            'GET\nrHost:abc\n',
+            'POST\rRemainder:\r',
+            'GET\rHOST:\n',
+            '\nPUT'
+        )
+
+        for method in methods:
+            with self.assertRaisesRegex(
+                    ValueError, "method can't contain control characters"):
+                conn = client.HTTPConnection('example.com')
+                conn.sock = FakeSocket(None)
+                conn.request(method=method, url="/")
+
+
 class TransferEncodingTest(TestCase):
     expected_body = b"It's just a flesh wound"
commit	8ca8a2e8fb068863c1138f07e3098478ef8be12e	[log] [tgz]
author	AMIR <31338382+amiremohamadi@users.noreply.github.com>	Sun Jul 19 00:46:10 2020 +0430
committer	GitHub <noreply@github.com>	Sat Jul 18 13:16:10 2020 -0700
tree	bd8512b01b0ce918d4678c0c848418a4ab3f00a1
parent	9b01c598ca2576a1056816e85dd84bf5f9c74688 [diff] [blame]