[New-bugs-announce] [issue38216] Fix for issue30458 prevents crafting invalid requests

Jason R. Coombs report at bugs.python.org
Wed Sep 18 12:14:30 EDT 2019

New submission from Jason R. Coombs <jaraco at jaraco.com>:

The fix for issue30458 prevents any request line from transmitting non-ascii characters. In some cases, it's useful to transmit these illegal bytes in order to simulate a maliciously-crafted request (such as to ensure a web server responds correctly to such a request). This limitation is a regression from previous behavior that allowed transmission of such invalid requests.

For example, consider [this comment](https://github.com/cherrypy/cherrypy/issues/1781#issuecomment-507836873), where tests in CherryPy were disabled due to emergent failures against nightly builds.

Originally, I reported this issue in issue36274, but I believe this issue is distinct and has a different timeline from that issue.

In [this comment](https://bugs.python.org/issue36274#msg352711), xtreak suggests that the proper solution might be not to transmit raw invalid characters but to actually rely on URL quoting to "transmit" those bytes. While that does seem to exercise CherryPy's error detection properly, I believe it still fails to exercise the receipt and handling of raw invalid bytes, but it does provide a possible satisfactory mitigation to this issue.

messages: 352738
nosy: jaraco
priority: normal
severity: normal
status: open
title: Fix for issue30458 prevents crafting invalid requests

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list