From cd4ed8530fa04fcbd54009e9db6ad9ea2518a10b Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Sun, 3 Mar 2013 15:03:57 +1300
Subject: [PATCH] Check that hosts in parse_url do not contain NULL bytes.

---
 netlib/http.py    | 4 +++-
 test/test_http.py | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/netlib/http.py b/netlib/http.py
index c864f1de5..1b03d330e 100644
--- a/netlib/http.py
+++ b/netlib/http.py
@@ -18,7 +18,7 @@ def parse_url(url):
 
         Checks that:
             port is an integer
-            host is a valid IDNA-encoded hostname
+            host is a valid IDNA-encoded hostname with no null-bytes
             path is valid ASCII
     """
     scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
@@ -43,6 +43,8 @@ def parse_url(url):
         host.decode("idna")
     except ValueError:
         return None
+    if "\0" in host:
+        return None
     try:
         path.decode("ascii")
     except ValueError:
diff --git a/test/test_http.py b/test/test_http.py
index 2cbba9366..f41a4e2d1 100644
--- a/test/test_http.py
+++ b/test/test_http.py
@@ -294,8 +294,9 @@ def test_parse_url():
 
     # Invalid IDNA
     assert not http.parse_url("http://\xfafoo")
-
     assert not http.parse_url("http:/\xc6/localhost:56121")
+    assert not http.parse_url("http://foo\0")
+
 
 
 def test_parse_http_basic_auth():