Reject invalid HTTP method token characters#833
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #833 +/- ##
==========================================
- Coverage 78.19% 78.16% -0.03%
==========================================
Files 41 41
Lines 4788 4800 +12
Branches 547 548 +1
==========================================
+ Hits 3744 3752 +8
- Misses 905 907 +2
- Partials 139 141 +2 |
There was a problem hiding this comment.
Useful like #832 but can you use the original template in the PR description?
Your commit also needs a body message which can expand on the commit message. The CI log mentions this:
Commit ede37bd316:
3: B6 Body message is missing
Error: Process completed with exit code 1.
You also need to add a docs/changelog-fragments.d/833.bugfix.rst describing the bug fix in the appropriate towncrier style - see docs/changelog-fragments.d/README.rst.
|
|
||
| def test_invalid_character_in_http_method(test_client): | ||
| """Check that methods with invalid token characters are rejected.""" | ||
| c = test_client.get_connection() |
There was a problem hiding this comment.
Use a descriptive variable name such as conn.
| return False | ||
|
|
||
| if not HTTP_TOKEN_RE.match(method): | ||
| self.simple_response('400 Bad Request', 'Malformed method name') |
There was a problem hiding this comment.
Let's make the message more informative e.g.: Malformed method name: invalid token (see RFC 9110 section 9.1). See, for example, line 834. References older (obsoleted) RFCs but you get the idea.
resp = (
'Malformed method name: According to RFC 2616 '
'(section 5.1.1) and its successors '
'RFC 7230 (section 3.1.1) and RFC 7231 (section 4.1) '
'method names are case-sensitive and uppercase.'
)
25e9292 to
53f4fbf
Compare
53f4fbf to
0446800
Compare
Validate parsed HTTP methods against the RFC token character set before accepting the request line. This rejects methods containing invalid token characters with a 400 Bad Request response and covers the behavior with a focused regression test.
❓ What kind of change does this PR introduce?
📋 What is the related issue number (starting with
#)Closes #715.
❓ What is the current behavior? (You can also link to an open issue here)
HTTP request methods containing characters outside the HTTP token grammar could be accepted after parsing the request line.
❓ What is the new behavior (if this is a feature change)?
Cheroot now validates parsed HTTP methods against the HTTP token character set and rejects methods containing invalid token characters with
400 Bad Request.📋 Other information:
Added
docs/changelog-fragments.d/833.bugfix.rst.Testing:
.venv\Scripts\python.exe -m pytest --no-cov -n 0 cheroot/test/test_core.py -k "malformed_http_method or invalid_character_in_http_method"📋 Contribution checklist: