h11 icon indicating copy to clipboard operation
h11 copied to clipboard
verified publisher icon python-hyper

Validate outgoing request methods

Open njsmith opened this issue 6 years ago • 1 comments

Twisted recently did a CVE fix for CRLF injection in methods and request targets: https://twistedmatrix.com/trac/ticket/9647

We already validate request targets and headers to prevent this kind of nonsense, but AFAICT we don't actually validate request methods.

It seems very unlikely that most people are allowing attacker-controlled input into their HTTP methods. Methods are hard-coded like 99.999% of the time. But given that we're already validating everything else, we might as well validate this too just to make sure.

njsmith avatar Jun 05 '19 07:06 njsmith

I wonder if there's a need to provide an escape hatch as well for projects like pathod that might be using h11 to do non-standard things.

sigmavirus24 avatar Jun 05 '19 15:06 sigmavirus24