From cee02226fa2655da3a42334b8bb7293a31c4e319 Mon Sep 17 00:00:00 2001 From: Ben Kallus <49924171+kenballus@users.noreply.github.com> Date: Mon, 16 Oct 2023 12:32:28 -0400 Subject: [PATCH] Add check to validate absolute URIs (#7713) (cherry picked from commit d697d4211b38e435fd59a0ced331989c8b258097) --- CHANGES/7712.bugfix | 1 + aiohttp/http_parser.py | 7 +++++++ tests/test_http_parser.py | 5 +++++ 3 files changed, 13 insertions(+) create mode 100644 CHANGES/7712.bugfix diff --git a/CHANGES/7712.bugfix b/CHANGES/7712.bugfix new file mode 100644 index 00000000000..b5304c34ac2 --- /dev/null +++ b/CHANGES/7712.bugfix @@ -0,0 +1 @@ +Add check to validate that absolute URIs have schemes. diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py index 17cc004eba7..43c69bff532 100644 --- a/aiohttp/http_parser.py +++ b/aiohttp/http_parser.py @@ -34,6 +34,7 @@ ContentEncodingError, ContentLengthError, InvalidHeader, + InvalidURLError, LineTooLong, TransferEncodingError, ) @@ -585,10 +586,16 @@ def parse_message(self, lines: List[bytes]) -> RawRequestMessage: fragment=url_fragment, encoded=True, ) + elif path == "*" and method == "OPTIONS": + # asterisk-form, + url = URL(path, encoded=True) else: # absolute-form for proxy maybe, # https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.2 url = URL(path, encoded=True) + if url.scheme == "": + # not absolute-form + raise InvalidURLError(line) # read headers ( diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py index fa0e8909a73..5df6603ccc3 100644 --- a/tests/test_http_parser.py +++ b/tests/test_http_parser.py @@ -741,6 +741,11 @@ def test_http_request_parser_bad_version_number(parser: Any) -> None: parser.feed_data(b"GET /test HTTP/1.32\r\n\r\n") +def test_http_request_parser_bad_uri(parser: Any) -> None: + with pytest.raises(http_exceptions.InvalidURLError): + parser.feed_data(b"GET ! HTTP/1.1\r\n\r\n") + + @pytest.mark.parametrize("size", [40965, 8191]) def test_http_request_max_status_line(parser, size) -> None: path = b"t" * (size - 5)