commit 9165addc22d05e776a54319a8531ebd0b2fe01ef
author Ashwin Ramaswami <aramaswamis@gmail.com> Sat Mar 14 14:56:06 2020 -0400
committer GitHub <noreply@github.com> Sat Mar 14 11:56:06 2020 -0700
tree 288869da768bf6c9c5c930bf50e58a36114b04e6
parent 6672c16b1d7f83789bf3a2016bd19edfd3568e71

bpo-38576: Disallow control characters in hostnames in http.client (GH-18995)

Add host validation for control characters for more CVE-2019-18348 protection.

Lib/http/client.py

diff --git a/Lib/http/client.py b/Lib/http/client.py
index 33a4347..019380a 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -828,6 +828,8 @@
 
         (self.host, self.port) = self._get_hostport(host, port)
 
+        self._validate_host(self.host)
+
         # This is stored as an instance variable to allow unit
         # tests to replace it with a suitable mockup
         self._create_connection = socket.create_connection
@@ -1183,6 +1185,14 @@
             raise InvalidURL(f"URL can't contain control characters. {url!r} "
                              f"(found at least {match.group()!r})")
 
+    def _validate_host(self, host):
+        """Validate a host so it doesn't contain control characters."""
+        # Prevent CVE-2019-18348.
+        match = _contains_disallowed_url_pchar_re.search(host)
+        if match:
+            raise InvalidURL(f"URL can't contain control characters. {host!r} "
+                             f"(found at least {match.group()!r})")
+
     def putheader(self, header, *values):
         """Send a request header line to the server.