summaryrefslogtreecommitdiffstats
path: root/contrib/tools/python3/Lib/http
diff options
context:
space:
mode:
authorshadchin <[email protected]>2026-06-24 07:09:14 +0300
committershadchin <[email protected]>2026-06-24 07:31:09 +0300
commit280914cd46f4411a2e01150bf9d9c53dff19fa66 (patch)
tree841d7b8330cb51e86f2ea6e915e4904563321aca /contrib/tools/python3/Lib/http
parent1100ced6faf1d14f48cb041f885882d3b37491a2 (diff)
Update Python 3 to 3.13.14
commit_hash:9913a0288f56b5ddd0f99e5b2ff1569d491cbe5d
Diffstat (limited to 'contrib/tools/python3/Lib/http')
-rw-r--r--contrib/tools/python3/Lib/http/client.py11
-rw-r--r--contrib/tools/python3/Lib/http/cookies.py8
2 files changed, 16 insertions, 3 deletions
diff --git a/contrib/tools/python3/Lib/http/client.py b/contrib/tools/python3/Lib/http/client.py
index dd5f4136e9e..c1ff4cef02f 100644
--- a/contrib/tools/python3/Lib/http/client.py
+++ b/contrib/tools/python3/Lib/http/client.py
@@ -972,13 +972,22 @@ class HTTPConnection:
return ip
def _tunnel(self):
+ if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
+ raise ValueError('Tunnel host can\'t contain control characters %r'
+ % (self._tunnel_host,))
connect = b"CONNECT %s:%d %s\r\n" % (
self._wrap_ipv6(self._tunnel_host.encode("idna")),
self._tunnel_port,
self._http_vsn_str.encode("ascii"))
headers = [connect]
for header, value in self._tunnel_headers.items():
- headers.append(f"{header}: {value}\r\n".encode("latin-1"))
+ header_bytes = header.encode("latin-1")
+ value_bytes = value.encode("latin-1")
+ if not _is_legal_header_name(header_bytes):
+ raise ValueError('Invalid header name %r' % (header_bytes,))
+ if _is_illegal_header_value(value_bytes):
+ raise ValueError('Invalid header value %r' % (value_bytes,))
+ headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
headers.append(b"\r\n")
# Making a single send() call instead of one per line encourages
# the host OS to use a more optimal packet size instead of
diff --git a/contrib/tools/python3/Lib/http/cookies.py b/contrib/tools/python3/Lib/http/cookies.py
index 63d119ad46c..2cffa2a9ad6 100644
--- a/contrib/tools/python3/Lib/http/cookies.py
+++ b/contrib/tools/python3/Lib/http/cookies.py
@@ -389,17 +389,21 @@ class Morsel(dict):
return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
def js_output(self, attrs=None):
+ import urllib.parse
# Print javascript
output_string = self.OutputString(attrs)
if _has_control_character(output_string):
raise CookieError("Control characters are not allowed in cookies")
+ # Base64-encode value to avoid template
+ # injection in cookie values.
+ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8')
return """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = \"%s\";
+ document.cookie = decodeURIComponent(\"%s\");
// end hiding -->
</script>
- """ % (output_string.replace('"', r'\"'))
+ """ % (output_encoded,)
def OutputString(self, attrs=None):
# Build up our result