Skip to content

Commit

Permalink
Reject non-http, non-https URLs. (seanmonstar#921)
Browse files Browse the repository at this point in the history 
Normally hyper is in charge of rejecting non-http URLs, but because
reqwest supports both http and https URLs, it calls enforce_http(false),
disabling hyper's checks.

This adds back a check in reqwest itself, plus a test.

There may still need to be an additional check in connect.rs.
  • Loading branch information
@jsha
jsha authored May 29, 2020
1 parent fd253cf commit eef5046
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions src/async_impl/client.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ use super::Body;
use crate::connect::{Connector, HttpConnector};
#[cfg(feature = "cookies")]
use crate::cookie;
use crate::error;
use crate::into_url::{expect_uri, try_uri};
use crate::redirect::{self, remove_sensitive_headers};
#[cfg(feature = "__tls")]
Expand Down Expand Up @@ -995,6 +996,9 @@ impl Client {

pub(super) fn execute_request(&self, req: Request) -> Pending {
let (method, url, mut headers, body, timeout) = req.pieces();
if url.scheme() != "http" && url.scheme() != "https" {
return Pending::new_err(error::url_bad_scheme(url));
}

// insert default headers in the request headers
// without overwriting already appended headers.
Expand Down Expand Up @@ -1496,3 +1500,18 @@ fn add_cookie_header(headers: &mut HeaderMap, cookie_store: &cookie::CookieStore
);
}
}

#[cfg(test)]
mod tests {
#[tokio::test]
async fn execute_request_rejects_invald_urls() {
let url_str = "hxxps://www.rust-lang.org/";
let url = url::Url::parse(url_str).unwrap();
let result = crate::get(url.clone()).await;

assert!(result.is_err());
let err = result.err().unwrap();
assert!(err.is_builder());
assert_eq!(url_str, err.url().unwrap().as_str());
}
}

0 comments on commit eef5046

Please sign in to comment.