diff options
author | Bert JW Regeer <xistence@0x58.com> | 2022-03-16 15:26:15 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-16 15:26:15 -0600 |
commit | 9e0b8c801e4d505c2ffc91b891af4ba48af715e0 (patch) | |
tree | 9d072734176f480abc59c06b8b2e03ec1850587d /src/waitress/utilities.py | |
parent | 22c03947e3bcd7631120aae40d3d844d4f35e49f (diff) | |
parent | b28c9e8bda326ff2f87bf8eb7ea6b110ee0ae6fe (diff) | |
download | waitress-9e0b8c801e4d505c2ffc91b891af4ba48af715e0.tar.gz |
Merge pull request from GHSA-4f7p-27jc-3c36v2.1.1
Fix for HTTP request smuggling due to incorrect validation
Diffstat (limited to 'src/waitress/utilities.py')
-rw-r--r-- | src/waitress/utilities.py | 28 |
1 files changed, 3 insertions, 25 deletions
diff --git a/src/waitress/utilities.py b/src/waitress/utilities.py index 3caaa33..6ae4742 100644 --- a/src/waitress/utilities.py +++ b/src/waitress/utilities.py @@ -22,7 +22,7 @@ import re import stat import time -from .rfc7230 import OBS_TEXT, VCHAR +from .rfc7230 import QUOTED_PAIR_RE, QUOTED_STRING_RE logger = logging.getLogger("waitress") queue_logger = logging.getLogger("waitress.queue") @@ -216,32 +216,10 @@ def parse_http_date(d): return retval -# RFC 5234 Appendix B.1 "Core Rules": -# VCHAR = %x21-7E -# ; visible (printing) characters -vchar_re = VCHAR - -# RFC 7230 Section 3.2.6 "Field Value Components": -# quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE -# qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text -# obs-text = %x80-FF -# quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) -obs_text_re = OBS_TEXT - -# The '\\' between \x5b and \x5d is needed to escape \x5d (']') -qdtext_re = "[\t \x21\x23-\x5b\\\x5d-\x7e" + obs_text_re + "]" - -quoted_pair_re = r"\\" + "([\t " + vchar_re + obs_text_re + "])" -quoted_string_re = '"(?:(?:' + qdtext_re + ")|(?:" + quoted_pair_re + '))*"' - -quoted_string = re.compile(quoted_string_re) -quoted_pair = re.compile(quoted_pair_re) - - def undquote(value): if value.startswith('"') and value.endswith('"'): # So it claims to be DQUOTE'ed, let's validate that - matches = quoted_string.match(value) + matches = QUOTED_STRING_RE.match(value) if matches and matches.end() == len(value): # Remove the DQUOTE's from the value @@ -249,7 +227,7 @@ def undquote(value): # Remove all backslashes that are followed by a valid vchar or # obs-text - value = quoted_pair.sub(r"\1", value) + value = QUOTED_PAIR_RE.sub(r"\1", value) return value elif not value.startswith('"') and not value.endswith('"'): |