bpo-38216, bpo-36274: Allow subclasses to separately override validat… · python/cpython@7774d78 (original) (raw)
`@@ -1085,18 +1085,15 @@ def putrequest(self, method, url, skip_host=False,
`
1085
1085
`else:
`
1086
1086
`raise CannotSendRequest(self.__state)
`
1087
1087
``
1088
``
`-
Save the method we use, we need it later in the response phase
`
``
1088
`+
Save the method for use later in the response phase
`
1089
1089
`self._method = method
`
1090
``
`-
if not url:
`
1091
``
`-
url = '/'
`
1092
``
`-
Prevent CVE-2019-9740.
`
1093
``
`-
if match := _contains_disallowed_url_pchar_re.search(url):
`
1094
``
`-
raise InvalidURL(f"URL can't contain control characters. {url!r} "
`
1095
``
`-
f"(found at least {match.group()!r})")
`
``
1090
+
``
1091
`+
url = url or '/'
`
``
1092
`+
self._validate_path(url)
`
``
1093
+
1096
1094
`request = '%s %s %s' % (method, url, self._http_vsn_str)
`
1097
1095
``
1098
``
`-
Non-ASCII characters should have been eliminated earlier
`
1099
``
`-
self._output(request.encode('ascii'))
`
``
1096
`+
self._output(self._encode_request(request))
`
1100
1097
``
1101
1098
`if self._http_vsn == 11:
`
1102
1099
`# Issue some standard headers for better HTTP/1.1 compliance
`
`@@ -1174,6 +1171,18 @@ def putrequest(self, method, url, skip_host=False,
`
1174
1171
`# For HTTP/1.0, the server will assume "not chunked"
`
1175
1172
`pass
`
1176
1173
``
``
1174
`+
def _encode_request(self, request):
`
``
1175
`+
ASCII also helps prevent CVE-2019-9740.
`
``
1176
`+
return request.encode('ascii')
`
``
1177
+
``
1178
`+
def _validate_path(self, url):
`
``
1179
`+
"""Validate a url for putrequest."""
`
``
1180
`+
Prevent CVE-2019-9740.
`
``
1181
`+
match = _contains_disallowed_url_pchar_re.search(url)
`
``
1182
`+
if match:
`
``
1183
`+
raise InvalidURL(f"URL can't contain control characters. {url!r} "
`
``
1184
`+
f"(found at least {match.group()!r})")
`
``
1185
+
1177
1186
`def putheader(self, header, *values):
`
1178
1187
`"""Send a request header line to the server.
`
1179
1188
``