From 5f0ad7b2a6b857419017e3e72062ab4e0e328238 Mon Sep 17 00:00:00 2001 From: Aldo Cortesi Date: Sun, 3 Mar 2013 22:13:23 +1300 Subject: [PATCH] Ensure that HTTP methods are ASCII. --- netlib/http.py | 2 ++ test/test_http.py | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/netlib/http.py b/netlib/http.py index 0f2caa5a3..f1a2bfb56 100644 --- a/netlib/http.py +++ b/netlib/http.py @@ -227,6 +227,8 @@ def parse_init(line): httpversion = parse_http_protocol(protocol) if not httpversion: return None + if not utils.isascii(method): + return None return method, url, httpversion diff --git a/test/test_http.py b/test/test_http.py index e98a891f8..77cc26246 100644 --- a/test/test_http.py +++ b/test/test_http.py @@ -136,6 +136,7 @@ def test_parse_http_protocol(): def test_parse_init_connect(): assert http.parse_init_connect("CONNECT host.com:443 HTTP/1.0") + assert not http.parse_init_connect("C\xfeONNECT host.com:443 HTTP/1.0") assert not http.parse_init_connect("CONNECT \0host.com:443 HTTP/1.0") assert not http.parse_init_connect("CONNECT host.com:444444 HTTP/1.0") assert not http.parse_init_connect("bogus") @@ -155,6 +156,9 @@ def test_prase_init_proxy(): assert pa == "/test" assert httpversion == (1, 1) + u = "G\xfeET http://foo.com:8888/test HTTP/1.1" + assert not http.parse_init_proxy(u) + assert not http.parse_init_proxy("invalid") assert not http.parse_init_proxy("GET invalid HTTP/1.1") assert not http.parse_init_proxy("GET http://foo.com:8888/test foo/1.1") @@ -162,10 +166,14 @@ def test_prase_init_proxy(): def test_parse_init_http(): u = "GET /test HTTP/1.1" - m, u, httpversion= http.parse_init_http(u) + m, u, httpversion = http.parse_init_http(u) assert m == "GET" assert u == "/test" assert httpversion == (1, 1) + + u = "G\xfeET /test HTTP/1.1" + assert not http.parse_init_http(u) + assert not http.parse_init_http("invalid") assert not http.parse_init_http("GET invalid HTTP/1.1") assert not http.parse_init_http("GET /test foo/1.1")