fix: reject authority-form request-target outside CONNECT (RFC 9112 section 3.2.3)

Detect authority-form as a request-target that is neither origin-form
(starts with "/"), absolute-form (contains "://"), nor asterisk; reject
it for any method other than CONNECT. Both WSGI and ASGI Python parsers.
This commit is contained in:
Benoit Chesneau 2026-04-19 11:11:42 +02:00
parent e7fd6a104f
commit 882e636208
2 changed files with 16 additions and 0 deletions

View File

@ -460,6 +460,13 @@ class PythonProtocol:
if self.path == b'*' and self.method != b'OPTIONS':
raise InvalidRequestLine("Invalid request line")
# RFC 9112 section 3.2.3: authority-form is only valid with CONNECT.
if (self.method != b'CONNECT'
and self.path != b'*'
and not self.path.startswith(b'/')
and b'://' not in self.path):
raise InvalidRequestLine("Invalid request line")
# Parse version
version = parts[2]
if version == b'HTTP/1.1':

View File

@ -811,6 +811,15 @@ class Request(Message):
if self.uri == "*" and self.method != "OPTIONS":
raise InvalidRequestLine(bytes_to_str(line_bytes))
# RFC 9112 section 3.2.3: authority-form ("host:port") is only valid
# with CONNECT. origin-form starts with "/"; absolute-form contains
# "://". Anything else on a non-CONNECT request is authority-form.
if (self.method != "CONNECT"
and self.uri != "*"
and not self.uri.startswith("/")
and "://" not in self.uri):
raise InvalidRequestLine(bytes_to_str(line_bytes))
try:
parts = split_request_uri(self.uri)
except ValueError: