Skip to content

Commit d697d42

Browse files
authored
Add check to validate absolute URIs (#7713)
1 parent 5c3adc4 commit d697d42

File tree

3 files changed

+13
-0
lines changed

3 files changed

+13
-0
lines changed

CHANGES/7712.bugfix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Add check to validate that absolute URIs have schemes.

aiohttp/http_parser.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
ContentEncodingError,
3535
ContentLengthError,
3636
InvalidHeader,
37+
InvalidURLError,
3738
LineTooLong,
3839
TransferEncodingError,
3940
)
@@ -578,10 +579,16 @@ def parse_message(self, lines: List[bytes]) -> RawRequestMessage:
578579
fragment=url_fragment,
579580
encoded=True,
580581
)
582+
elif path == "*" and method == "OPTIONS":
583+
# asterisk-form,
584+
url = URL(path, encoded=True)
581585
else:
582586
# absolute-form for proxy maybe,
583587
# https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.2
584588
url = URL(path, encoded=True)
589+
if url.scheme == "":
590+
# not absolute-form
591+
raise InvalidURLError(line)
585592

586593
# read headers
587594
(

tests/test_http_parser.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -740,6 +740,11 @@ def test_http_request_parser_bad_version_number(parser: Any) -> None:
740740
parser.feed_data(b"GET /test HTTP/1.32\r\n\r\n")
741741

742742

743+
def test_http_request_parser_bad_uri(parser: Any) -> None:
744+
with pytest.raises(http_exceptions.InvalidURLError):
745+
parser.feed_data(b"GET ! HTTP/1.1\r\n\r\n")
746+
747+
743748
@pytest.mark.parametrize("size", [40965, 8191])
744749
def test_http_request_max_status_line(parser: Any, size: Any) -> None:
745750
path = b"t" * (size - 5)

0 commit comments

Comments
 (0)