Reject NUL bytes in HTTP request lines#832
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #832 +/- ##
==========================================
- Coverage 78.19% 77.77% -0.43%
==========================================
Files 41 41
Lines 4788 4791 +3
Branches 547 483 -64
==========================================
- Hits 3744 3726 -18
- Misses 905 922 +17
- Partials 139 143 +4 |
There was a problem hiding this comment.
Thanks for this PR. Looks useful but see inline comments. Also in the PR description you did not use the standard template that makes clear what you have and have not addressed.
Your commit also needs a body message and we need a docs/changelog-fragments.d/832.bugfix.rst describing the bug fix in the appropriate towncrier style - see docs/changelog-fragments.d/README.rst.
|
|
||
| def test_null_byte_in_request_line(test_client): | ||
| """Check that NUL bytes in the request line return Bad Request.""" | ||
| c = test_client.get_connection() |
There was a problem hiding this comment.
Let's use descriptive vars rather than single characters. conn would be better here.
There was a problem hiding this comment.
Technically, this follows the existing style, which could be okay in such cases. This, however, mainly copies the same test and should've just parametrized it instead of adding another almost-identical test function.
|
|
||
| try: | ||
| method, uri, req_protocol = request_line.strip().split(SPACE, 2) | ||
| if b'\x00' in request_line: |
There was a problem hiding this comment.
Better to check for null bytes before doing any parsing. Suggest moving this above request_line.strip().split(SPACE, 2)
0f32bcb to
9525cd8
Compare
Reject request lines containing NUL bytes before parsing the request target and protocol. This keeps malformed request-line handling consistent with the existing bad request path and covers the case in the malformed request-line test matrix.
❓ What kind of change does this PR introduce?
📋 What is the related issue number (starting with
#)Related to #201.
❓ What is the current behavior? (You can also link to an open issue here)
HTTP request lines containing embedded NUL bytes could reach the request-line parser instead of being rejected explicitly as malformed input.
❓ What is the new behavior (if this is a feature change)?
Cheroot now rejects request lines containing NUL bytes with
400 Bad Requestbefore splitting the request line. The malformed request-line test matrix covers the NUL-byte case.📋 Other information:
Added
docs/changelog-fragments.d/832.bugfix.rst.Testing:
.venv\Scripts\python.exe -m pytest --no-cov -n 0 cheroot/test/test_core.py -k malformed_request_line📋 Contribution checklist: