Skip to content

Commit b7378d7

Browse files
authored
bpo-30458: Use InvalidURL instead of ValueError. (GH-13044)
Use http.client.InvalidURL instead of ValueError as the new error case's exception.
1 parent e1d5dd6 commit b7378d7

File tree

3 files changed

+8
-6
lines changed

3 files changed

+8
-6
lines changed

Lib/http/client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1091,7 +1091,7 @@ def putrequest(self, method, url, skip_host=False,
10911091
url = '/'
10921092
# Prevent CVE-2019-9740.
10931093
if match := _contains_disallowed_url_pchar_re.search(url):
1094-
raise ValueError(f"URL can't contain control characters. {url!r} "
1094+
raise InvalidURL(f"URL can't contain control characters. {url!r} "
10951095
f"(found at least {match.group()!r})")
10961096
request = '%s %s %s' % (method, url, self._http_vsn_str)
10971097

Lib/test/test_urllib.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -343,11 +343,12 @@ def test_url_with_control_char_rejected(self):
343343
# calls urllib.parse.quote() on the URL which makes all of the
344344
# above attempts at injection within the url _path_ safe.
345345
escaped_char_repr = repr(char).replace('\\', r'\\')
346+
InvalidURL = http.client.InvalidURL
346347
with self.assertRaisesRegex(
347-
ValueError, f"contain control.*{escaped_char_repr}"):
348+
InvalidURL, f"contain control.*{escaped_char_repr}"):
348349
urllib.request.urlopen(f"http:{schemeless_url}")
349350
with self.assertRaisesRegex(
350-
ValueError, f"contain control.*{escaped_char_repr}"):
351+
InvalidURL, f"contain control.*{escaped_char_repr}"):
351352
urllib.request.urlopen(f"https:{schemeless_url}")
352353
# This code path quotes the URL so there is no injection.
353354
resp = urlopen(f"http:{schemeless_url}")
@@ -367,10 +368,11 @@ def test_url_with_newline_header_injection_rejected(self):
367368
# urlopen uses FancyURLOpener which goes via a codepath that
368369
# calls urllib.parse.quote() on the URL which makes all of the
369370
# above attempts at injection within the url _path_ safe.
371+
InvalidURL = http.client.InvalidURL
370372
with self.assertRaisesRegex(
371-
ValueError, r"contain control.*\\r.*(found at least . .)"):
373+
InvalidURL, r"contain control.*\\r.*(found at least . .)"):
372374
urllib.request.urlopen(f"http:{schemeless_url}")
373-
with self.assertRaisesRegex(ValueError, r"contain control.*\\n"):
375+
with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
374376
urllib.request.urlopen(f"https:{schemeless_url}")
375377
# This code path quotes the URL so there is no injection.
376378
resp = urlopen(f"http:{schemeless_url}")
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised.
1+
Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.

0 commit comments

Comments
 (0)