cheroot icon indicating copy to clipboard operation
cheroot copied to clipboard
verified publisher icon cherrypy

Make HTTP request parser return 400 on null byte in the request line

Open webknjaz opened this issue 6 years ago • 2 comments

I'm submitting a ...

  • [X] 🐞 bug report
  • [ ] 🐣 feature request
  • [ ] ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?

NULL-byte paths get routed to handlers.

What is the motivation / use case for changing the behavior?

Have a correct HTTP implementation.

💡 To Reproduce

N/A

💡 Expected behavior

400 Bad Request

📋 Details

NULL-byte is illegal in the Request-Line

📋 Environment

  • Cheroot version: master
  • CherryPy version: master
  • Python version: N/A
  • OS: N/A
  • Browser: N/A

📋 Additional context

https://github.com/cherrypy/cherrypy/issues/1781

webknjaz avatar Jun 23 '19 15:06 webknjaz

~See also the upstream issue36274 which attempts to solve the issue with Python rather than have each project implement its own workaround.~

jaraco avatar Sep 13 '19 14:09 jaraco

I see now that that upstream issue is about something else. This issue is specifically about ensuring a 400 (bad request) is returned for invalid requests instead of attempting to route them.

jaraco avatar Sep 26 '19 20:09 jaraco