diff options
| author | shadchin <[email protected]> | 2026-06-24 07:09:14 +0300 |
|---|---|---|
| committer | shadchin <[email protected]> | 2026-06-24 07:31:09 +0300 |
| commit | 280914cd46f4411a2e01150bf9d9c53dff19fa66 (patch) | |
| tree | 841d7b8330cb51e86f2ea6e915e4904563321aca /contrib/tools/python3/Lib/http | |
| parent | 1100ced6faf1d14f48cb041f885882d3b37491a2 (diff) | |
Update Python 3 to 3.13.14
commit_hash:9913a0288f56b5ddd0f99e5b2ff1569d491cbe5d
Diffstat (limited to 'contrib/tools/python3/Lib/http')
| -rw-r--r-- | contrib/tools/python3/Lib/http/client.py | 11 | ||||
| -rw-r--r-- | contrib/tools/python3/Lib/http/cookies.py | 8 |
2 files changed, 16 insertions, 3 deletions
diff --git a/contrib/tools/python3/Lib/http/client.py b/contrib/tools/python3/Lib/http/client.py index dd5f4136e9e..c1ff4cef02f 100644 --- a/contrib/tools/python3/Lib/http/client.py +++ b/contrib/tools/python3/Lib/http/client.py @@ -972,13 +972,22 @@ class HTTPConnection: return ip def _tunnel(self): + if _contains_disallowed_url_pchar_re.search(self._tunnel_host): + raise ValueError('Tunnel host can\'t contain control characters %r' + % (self._tunnel_host,)) connect = b"CONNECT %s:%d %s\r\n" % ( self._wrap_ipv6(self._tunnel_host.encode("idna")), self._tunnel_port, self._http_vsn_str.encode("ascii")) headers = [connect] for header, value in self._tunnel_headers.items(): - headers.append(f"{header}: {value}\r\n".encode("latin-1")) + header_bytes = header.encode("latin-1") + value_bytes = value.encode("latin-1") + if not _is_legal_header_name(header_bytes): + raise ValueError('Invalid header name %r' % (header_bytes,)) + if _is_illegal_header_value(value_bytes): + raise ValueError('Invalid header value %r' % (value_bytes,)) + headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes)) headers.append(b"\r\n") # Making a single send() call instead of one per line encourages # the host OS to use a more optimal packet size instead of diff --git a/contrib/tools/python3/Lib/http/cookies.py b/contrib/tools/python3/Lib/http/cookies.py index 63d119ad46c..2cffa2a9ad6 100644 --- a/contrib/tools/python3/Lib/http/cookies.py +++ b/contrib/tools/python3/Lib/http/cookies.py @@ -389,17 +389,21 @@ class Morsel(dict): return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) def js_output(self, attrs=None): + import urllib.parse # Print javascript output_string = self.OutputString(attrs) if _has_control_character(output_string): raise CookieError("Control characters are not allowed in cookies") + # Base64-encode value to avoid template + # injection in cookie values. + output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8') return """ <script type="text/javascript"> <!-- begin hiding - document.cookie = \"%s\"; + document.cookie = decodeURIComponent(\"%s\"); // end hiding --> </script> - """ % (output_string.replace('"', r'\"')) + """ % (output_encoded,) def OutputString(self, attrs=None): # Build up our result |
