prevent CVE-2019-9740 in 1.24.x

[ryanpetrello]

adapted from python/cpython#12755

related: #1553

[sethmlarson]

I missed a few things on the fast-forward it looks like. Namely dummyserver/.

[ryanpetrello]

@sethmlarson just rebased

[sethmlarson]

Can you update the dotted_fqdn test the same way as it's update in master? ie skip it on GCE

[codecov-io]

Codecov Report

Merging #1591 into 1.24-series will increase coverage by <.01%.
The diff coverage is 100%.

@@               Coverage Diff               @@
##           1.24-series    #1591      +/-   ##
===============================================
+ Coverage        98.74%   98.74%   +<.01%     
===============================================
  Files               22       22              
  Lines             1826     1828       +2     
===============================================
+ Hits              1803     1805       +2     
  Misses              23       23

Impacted Files	Coverage Δ
src/urllib3/util/ssl_.py	100% <ø> (ø)	⬆️
src/urllib3/connectionpool.py	100% <ø> (ø)	⬆️
src/urllib3/poolmanager.py	100% <ø> (ø)	⬆️
src/urllib3/util/url.py	100% <100%> (ø)	⬆️
src/urllib3/contrib/socks.py	100% <100%> (ø)	⬆️
src/urllib3/response.py	100% <100%> (ø)	⬆️
src/urllib3/connection.py	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cd1449d...97566f2. Read the comment docs.

[ryanpetrello]

@sethmlarson do you know what's up w/ the lint failures? Maybe a newer version of pycodestyle, or some new rules got applied in master to work around it?

How would you like me to proceed with that?

[sethmlarson]

Might have to apply this commit to the branch as well: d0255e0

[ryanpetrello]

@sethmlarson looks like Travis is still unhappy :/ Looks related to tests run on OSX?

I might need some help making the 1.24-series branch pass Travis.

[gpshead]

I recommend using a repr of the URL rather than the raw url containing the offending text in the error message. {!r} iirc.

[ryanpetrello]

Good point @gpshead, addressed.

Here's with the latest version of this PR:

>>> urllib3.PoolManager().request('GET', 'http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/ryanpetrello/dev/urllib3/src/urllib3/request.py", line 68, in request
    **urlopen_kw)
  File "/home/ryanpetrello/dev/urllib3/src/urllib3/request.py", line 89, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/home/ryanpetrello/dev/urllib3/src/urllib3/poolmanager.py", line 312, in urlopen
    u = parse_url(url)
  File "/home/ryanpetrello/dev/urllib3/src/urllib3/util/url.py", line 164, in parse_url
    raise LocationParseError("URL can't contain control characters. {!r}".format(url))
urllib3.exceptions.LocationParseError: Failed to parse: URL can't contain control characters. 'http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:'

[ryanpetrello]

@sethmlarson I think I've got the correct things ported from master to make Travis-CI happy now. It came down to a few new decorators for skipping tests in certain environments, and some actual flake8 updates.

[ryanpetrello]

@sethmlarson pypy on 27 is failing for me, but it's also failing on recent commits to master (https://travis-ci.org/urllib3/urllib3/builds/524640946?utm_source=github_status&utm_medium=notification), and it looks like it's non-voting in Travis.

Might be a simple fix, but it seems outside of the scope of this PR:

[ryanpetrello]

@sethmlarson

Thanks for the quick turn around on this 😄.

At the risk of being a nag, what are the odds this will wind up in an official release on PyPI (1.24.3?) soon-ish?