From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <sethmichaellarson@gmail.com> Date: Mon, 17 Feb 2020 15:34:48 -0600 Subject: [PATCH] Raise ValueError if method contains control characters (#1800) --- src/urllib3/connection.py | 14 ++++++++++++++ Modified for Mageia 7 by B. Cornec diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py index 71e6790b1..f7b176093 100644 --- a/src/pip/_vendor/urllib3/connection.py +++ b/src/pip/_vendor/urllib3/connection.py @@ -1,4 +1,5 @@ from __future__ import absolute_import +import re import datetime import logging import os @@ -63,6 +63,8 @@ # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) RECENT_DATE = datetime.date(2017, 6, 30) +_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") + class DummyConnection(object): """Used to detect a failed ConnectionCls import.""" @@ -186,6 +186,18 @@ conn = self._new_conn() self._prepare_conn(conn) + def putrequest(self, method, url, *args, **kwargs): + """Send a request to the server""" + match = _CONTAINS_CONTROL_CHAR_RE.search(method) + if match: + raise ValueError( + "Method cannot contain non-token characters %r (found at least %r)" + % (method, match.group()) + ) + + return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) + + def request_chunked(self, method, url, body=None, headers=None): """ Alternative to the common request method, which sends the