bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) Add host validation for control characters for more CVE-2019-18348 protection.

commit: 9165addc22d05e776a54319a8531ebd0b2fe01ef [log] [tgz]
author: Ashwin Ramaswami <aramaswamis@gmail.com> Sat Mar 14 14:56:06 2020 -0400
committer: GitHub <noreply@github.com> Sat Mar 14 11:56:06 2020 -0700
tree: 288869da768bf6c9c5c930bf50e58a36114b04e6
parent: 6672c16b1d7f83789bf3a2016bd19edfd3568e71 [diff] [blame]
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 95eca7e..7f4decc 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py

@@ -1155,7 +1155,7 @@
         thread.join()
         self.assertEqual(result, b"proxied data\n")
 
-    def test_putrequest_override_validation(self):
+    def test_putrequest_override_domain_validation(self):
         """
         It should be possible to override the default validation
         behavior in putrequest (bpo-38216).
@@ -1168,6 +1168,17 @@
         conn.sock = FakeSocket('')
         conn.putrequest('GET', '/\x00')
 
+    def test_putrequest_override_host_validation(self):
+        class UnsafeHTTPConnection(client.HTTPConnection):
+            def _validate_host(self, url):
+                pass
+
+        conn = UnsafeHTTPConnection('example.com\r\n')
+        conn.sock = FakeSocket('')
+        # set skip_host so a ValueError is not raised upon adding the
+        # invalid URL as the value of the "Host:" header
+        conn.putrequest('GET', '/', skip_host=1)
+
     def test_putrequest_override_encoding(self):
         """
         It should be possible to override the default encoding
commit	9165addc22d05e776a54319a8531ebd0b2fe01ef	[log] [tgz]
author	Ashwin Ramaswami <aramaswamis@gmail.com>	Sat Mar 14 14:56:06 2020 -0400
committer	GitHub <noreply@github.com>	Sat Mar 14 11:56:06 2020 -0700
tree	288869da768bf6c9c5c930bf50e58a36114b04e6
parent	6672c16b1d7f83789bf3a2016bd19edfd3568e71 [diff] [blame]