From: Ben Kallus <49924171+kenballus@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:18:35 -0400 Subject: Backport 493f06797654c383242f0e8007f6e06b818a1fbc to 3.9 (#7730) --- aiohttp/http_parser.py | 6 ++++-- tests/test_http_parser.py | 9 ++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py index 3862bbe..8e5e816 100644 --- a/aiohttp/http_parser.py +++ b/aiohttp/http_parser.py @@ -55,7 +55,9 @@ ASCIISET = set(string.printable) # token = 1*tchar METHRE = re.compile(r"[!#$%&'*+\-.^_`|~0-9A-Za-z]+") VERSRE: Final[Pattern[str]] = re.compile(r"HTTP/(\d).(\d)") -HDRRE: Final[Pattern[bytes]] = re.compile(rb"[\x00-\x1F\x7F()<>@,;:\[\]={} \t\"\\]") +HDRRE: Final[Pattern[bytes]] = re.compile( + rb"[\x00-\x1F\x7F-\xFF()<>@,;:\[\]={} \t\"\\]" +) RawRequestMessage = collections.namedtuple( "RawRequestMessage", @@ -523,7 +525,7 @@ class HttpRequestParser(HttpParser): # request line line = lines[0].decode("utf-8", "surrogateescape") try: - method, path, version = line.split(maxsplit=2) + method, path, version = line.split(" ", maxsplit=2) except ValueError: raise BadStatusLine(line) from None diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py index d584f15..9d65b2f 100644 --- a/tests/test_http_parser.py +++ b/tests/test_http_parser.py @@ -397,6 +397,7 @@ def test_cve_2023_37276(parser: Any) -> None: "Baz: abc\x00def", "Foo : bar", # https://www.rfc-editor.org/rfc/rfc9112.html#section-5.1-2 "Foo\t: bar", + "\xffoo: bar", ), ) def test_bad_headers(parser: Any, hdr: str) -> None: @@ -562,7 +563,13 @@ def test_http_request_bad_status_line(parser) -> None: parser.feed_data(text) -def test_http_request_upgrade(parser) -> None: +def test_http_request_bad_status_line_whitespace(parser: Any) -> None: + text = b"GET\n/path\fHTTP/1.1\r\n\r\n" + with pytest.raises(http_exceptions.BadStatusLine): + parser.feed_data(text) + + +def test_http_request_upgrade(parser: Any) -> None: text = ( b"GET /test HTTP/1.1\r\n" b"connection: upgrade\r\n"