diff options
| author |   Miro Hrončok <miro@hroncok.cz> | 2019-05-08 18:33:24 +0200 |
|---|---|---|
| committer |   Ned Deily <nad@python.org> | 2019-05-08 12:33:24 -0400 |
| commit | c50d437e942d4c4c45c8cd76329b05340c02eb31 (patch) | |
| tree | e7da4e6be490c8da2beb5e6fc26f1f1e9bc3eb4f /Misc/NEWS.d/next | |
| parent | bpo-36742: Fixes handling of pre-normalization characters in urlsplit() (GH-1... (diff) | |
| download | cpython-c50d437e942d4c4c45c8cd76329b05340c02eb31.tar.gz cpython-c50d437e942d4c4c45c8cd76329b05340c02eb31.tar.bz2 cpython-c50d437e942d4c4c45c8cd76329b05340c02eb31.zip | |
bpo-30458: Disallow control chars in http URLs. (GH-12755) (GH-13155)
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
Diffstat (limited to 'Misc/NEWS.d/next')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst new file mode 100644 index 00000000000..ed8027fb4d6 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst @@ -0,0 +1 @@ +Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised. |