NotificationsYou must be signed in to change notification settings
Fork32.1k
Star67.4k

bpo-38576: Disallow control characters in hostnames in http.client#18995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

gpshead merged 2 commits intopython:masterfromepicfaace:url

Mar 14, 2020

Merged

bpo-38576: Disallow control characters in hostnames in http.client#18995

gpshead merged 2 commits intopython:masterfromepicfaace:url

Mar 14, 2020

Conversation

Copy link

Contributor

epicfaace commentedMar 14, 2020•
edited by bedevere-bot
Loading

Extends#12755 to apply to hostnames.

https://bugs.python.org/issue38576

add host validation for control characters

e3ad9a9

the-knights-who-say-ni added the CLA signed label

Mar 14, 2020

bedevere-bot added the awaiting review label

Mar 14, 2020

📜🤖 Added by blurb_it.

54df435

gpshead self-assigned this

Mar 14, 2020

gpshead approved these changes

Mar 14, 2020

View reviewed changes

bedevere-bot added awaiting merge and removed awaiting review labels

Mar 14, 2020

gpshead added needs backport to 3.6 type-bug

An unexpected behavior, bug, or error

type-securityA security issue labels

Mar 14, 2020

Copy link

Member

gpshead commentedMar 14, 2020

Thanks!

While reviewing I also looked over the_get_hostport(host, port) call that happens before_validate_host(host). I do not believe that will cause any problems, the validation is still doing the right thing even if that transformed host to extract a port number.

gpshead merged commit9165add intopython:master

Mar 14, 2020

Copy link

Contributor

miss-islington commentedMar 14, 2020

Thanks@epicfaace for the PR, and@gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8.
🐍🍒⛏🤖

bedevere-bot removed the awaiting merge label

Mar 14, 2020

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (p…

f8213f0

…ythonGH-18995)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

Copy link

bedevere-bot commentedMar 14, 2020

GH-19000 is a backport of this pull request to the3.8 branch.

bedevere-bot removed the needs backport to 3.8 label

Mar 14, 2020

Copy link

bedevere-bot commentedMar 14, 2020

GH-19001 is a backport of this pull request to the3.7 branch.

bedevere-bot removed the needs backport to 3.7 label

Mar 14, 2020

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (p…

1e24df6

…ythonGH-18995)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

bedevere-bot removed the needs backport to 3.6 label

Mar 14, 2020

Copy link

bedevere-bot commentedMar 14, 2020

GH-19002 is a backport of this pull request to the3.6 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (p…

66627ba

…ythonGH-18995)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

miss-islington added a commit that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (G…

34f85af

…H-18995)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

miss-islington added a commit that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (G…

ff69c9d

…H-18995)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

epicfaace deleted the url branch

March 14, 2020 20:09

ned-deily pushed a commit that referenced this pull request

Mar 14, 2020

bpo-38576: Disallow control characters in hostnames in http.client (G…

83fc701

…H-18995) (GH-19002)Add host validation for control characters for moreCVE-2019-18348 protection.(cherry picked from commit9165add)Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>