bpo-35906: Fix CRLF injection in urllib by push0ebp · Pull Request #12524 · python/cpython

python

@@ -1059,6 +1059,16 @@ def test_splithost(self): self.assertEqual(splithost("//example.net/file#"), ('example.net', '/file#'))
# bpo-35906: disallow line breaks self.assertEqual(splithost('//127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: Value'), (None, '//127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: Value'))
self.assertEqual(splithost('//127.0.0.1:1234?q=HTTP/1.1\r\nHeader: Value'), (None, '//127.0.0.1:1234?q=HTTP/1.1\r\nHeader: Value'))
self.assertEqual(splithost('//127.0.0.1:1234#q=HTTP/1.1\r\nHeader: Value'), (None, '//127.0.0.1:1234#q=HTTP/1.1\r\nHeader: Value'))
def test_splituser(self): splituser = urllib.parse._splituser self.assertEqual(splituser('User:Pass@www.python.org:080'),