From 4075c653fb67a29740bf9ac050bb02d10a57343a Mon Sep 17 00:00:00 2001 From: Ben Kallus <49924171+kenballus@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:18:35 -0400 Subject: [PATCH] Backport 493f06797654c383242f0e8007f6e06b818a1fbc to 3.9 (#7730) --- python-aiohttp-3.8.4.orig/aiohttp/http_parser.py +++ python-aiohttp-3.8.4/aiohttp/http_parser.py @@ -69,7 +69,9 @@ ASCIISET: Final[Set[str]] = set(string.p # token = 1*tchar METHRE: Final[Pattern[str]] = re.compile(r"[!#$%&'*+\-.^_`|~0-9A-Za-z]+") VERSRE: Final[Pattern[str]] = re.compile(r"HTTP/(\d).(\d)") -HDRRE: Final[Pattern[bytes]] = re.compile(rb"[\x00-\x1F\x7F()<>@,;:\[\]={} \t\"\\]") +HDRRE: Final[Pattern[bytes]] = re.compile( + rb"[\x00-\x1F\x7F-\xFF()<>@,;:\[\]={} \t\"\\]" +) class RawRequestMessage(NamedTuple): @@ -546,7 +548,7 @@ class HttpRequestParser(HttpParser[RawRe # request line line = lines[0].decode("utf-8", "surrogateescape") try: - method, path, version = line.split(maxsplit=2) + method, path, version = line.split(" ", maxsplit=2) except ValueError: raise BadStatusLine(line) from None --- python-aiohttp-3.8.4.orig/tests/test_http_parser.py +++ python-aiohttp-3.8.4/tests/test_http_parser.py @@ -441,6 +441,7 @@ def test_cve_2023_37276(parser: Any) -> "Baz: abc\x00def", "Foo : bar", # https://www.rfc-editor.org/rfc/rfc9112.html#section-5.1-2 "Foo\t: bar", + "\xffoo: bar", ), ) def test_bad_headers(parser: Any, hdr: str) -> None: @@ -600,7 +601,13 @@ def test_http_request_bad_status_line(pa parser.feed_data(text) -def test_http_request_upgrade(parser) -> None: +def test_http_request_bad_status_line_whitespace(parser: Any) -> None: + text = b"GET\n/path\fHTTP/1.1\r\n\r\n" + with pytest.raises(http_exceptions.BadStatusLine): + parser.feed_data(text) + + +def test_http_request_upgrade(parser: Any) -> None: text = ( b"GET /test HTTP/1.1\r\n" b"connection: upgrade\r\n"