Add check to validate absolute URIs (#7713)

kenballus · web-flow · commit d697d4211b38 · 2023-10-16T17:32:28.000+01:00
diff --git a/CHANGES/7712.bugfix b/CHANGES/7712.bugfix
@@ -0,0 +1 @@
+Add check to validate that absolute URIs have schemes.
diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
@@ -34,6 +34,7 @@
     ContentEncodingError,
     ContentLengthError,
     InvalidHeader,
+    InvalidURLError,
     LineTooLong,
     TransferEncodingError,
 )
@@ -578,10 +579,16 @@ def parse_message(self, lines: List[bytes]) -> RawRequestMessage:
                 fragment=url_fragment,
                 encoded=True,
             )
+        elif path == "*" and method == "OPTIONS":
+            # asterisk-form,
+            url = URL(path, encoded=True)
         else:
             # absolute-form for proxy maybe,
             # https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.2
             url = URL(path, encoded=True)
+            if url.scheme == "":
+                # not absolute-form
+                raise InvalidURLError(line)
 
         # read headers
         (
diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
@@ -740,6 +740,11 @@ def test_http_request_parser_bad_version_number(parser: Any) -> None:
         parser.feed_data(b"GET /test HTTP/1.32\r\n\r\n")
 
 
+def test_http_request_parser_bad_uri(parser: Any) -> None:
+    with pytest.raises(http_exceptions.InvalidURLError):
+        parser.feed_data(b"GET ! HTTP/1.1\r\n\r\n")
+
+
 @pytest.mark.parametrize("size", [40965, 8191])
 def test_http_request_max_status_line(parser: Any, size: Any) -> None:
     path = b"t" * (size - 5)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add check to validate that absolute URIs have schemes.`