diff --git a/Lib/httplib.py b/Lib/httplib.py
@@ -745,6 +745,8 @@ def __init__(self, host, port=None, strict=None,

        (self.host, self.port) = self._get_hostport(host, port)

        # This is stored as an instance variable to allow unittests
        # to replace with a suitable mock
        self._create_connection = socket.create_connection
@@ -1029,6 +1031,17 @@ def _validate_path(self, url):
            ).format(matched=match.group(), url=url)
            raise InvalidURL(msg)

    def putheader(self, header, *values):
        """Send a request header line to the server.


diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
@@ -702,7 +702,7 @@ def test_proxy_tunnel_without_status_line(self):
        with self.assertRaisesRegexp(socket.error, "Invalid response"):
            conn._tunnel()

-    def test_putrequest_override_validation(self):
        """
        It should be possible to override the default validation
        behavior in putrequest (bpo-38216).
@@ -715,6 +715,17 @@ def _validate_path(self, url):
        conn.sock = FakeSocket('')
        conn.putrequest('GET', '/\x00')


class OfflineTest(TestCase):
    def test_responses(self):

diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
@@ -1321,7 +1321,7 @@ def test_unsupported_algorithm(self):
        )

    @unittest.skipUnless(ssl, "ssl module required")
-    def test_url_with_control_char_rejected(self):
        for char_no in range(0, 0x21) + range(0x7f, 0x100):
            char = chr(char_no)
            schemeless_url = "//localhost:7777/test%s/" % char
@@ -1345,7 +1345,7 @@ def test_url_with_control_char_rejected(self):
                self.unfakehttp()

    @unittest.skipUnless(ssl, "ssl module required")
-    def test_url_with_newline_header_injection_rejected(self):
        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
        schemeless_url = "//" + host + ":8080/test/?test=a"
@@ -1357,14 +1357,32 @@ def test_url_with_newline_header_injection_rejected(self):
            # calls urllib.parse.quote() on the URL which makes all of the
            # above attempts at injection within the url _path_ safe.
            InvalidURL = httplib.InvalidURL
-            with self.assertRaisesRegexp(
-                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
-                urllib2.urlopen("http:" + schemeless_url)
-            with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
-                urllib2.urlopen("https:" + schemeless_url)
        finally:
            self.unfakehttp()



class RequestTests(unittest.TestCase):

diff --git a/Misc/NEWS.d/next/Library/2020-03-18-01-30-50.bpo-38576.cvI68q.rst b/Misc/NEWS.d/next/Library/2020-03-18-01-30-50.bpo-38576.cvI68q.rst
@@ -0,0 +1,3 @@