Skip to content

Commit

Permalink
gh-100001: Also escape \s in http.server log messages. (GH-100038)
Browse files Browse the repository at this point in the history
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was.  Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
(cherry picked from commit 7e29398)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
  • Loading branch information
miss-islington and gpshead authored Dec 5, 2022
1 parent ec8c06b commit aae7b43
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
1 change: 1 addition & 0 deletions Lib/http/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,7 @@ def log_error(self, format, *args):
# https://en.wikipedia.org/wiki/List_of_Unicode_characters#Control_codes
_control_char_table = str.maketrans(
{c: fr'\x{c:02x}' for c in itertools.chain(range(0x20), range(0x7f,0xa0))})
_control_char_table[ord('\\')] = r'\\'

def log_message(self, format, *args):
"""Log an arbitrary message.
Expand Down
2 changes: 2 additions & 0 deletions Lib/test/test_httpservers.py
Original file line number Diff line number Diff line change
Expand Up @@ -994,6 +994,7 @@ def test_unprintable_not_logged(self):
log_message(self.handler, '/\033bar\000\033')
log_message(self.handler, '/spam %s.', 'a')
log_message(self.handler, '/spam %s.', '\033\x7f\x9f\xa0beans')
log_message(self.handler, '"GET /foo\\b"ar\007 HTTP/1.0"')
stderr = fake_stderr.getvalue()
self.assertNotIn('\033', stderr) # non-printable chars are caught.
self.assertNotIn('\000', stderr) # non-printable chars are caught.
Expand All @@ -1002,6 +1003,7 @@ def test_unprintable_not_logged(self):
self.assertIn(r'/\x1bbar\x00\x1b', lines[1])
self.assertIn('/spam a.', lines[2])
self.assertIn('/spam \\x1b\\x7f\\x9f\xa0beans.', lines[3])
self.assertIn(r'"GET /foo\\b"ar\x07 HTTP/1.0"', lines[4])

def test_http_1_1(self):
result = self.send_typical_request(b'GET / HTTP/1.1\r\n\r\n')
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was. Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.

0 comments on commit aae7b43

Please sign in to comment.