Commit 382c95ae authored by Hanno Schlichting's avatar Hanno Schlichting

LP #930812: Scrub headers a bit more.

parent bc4a283c
...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/releases/. ...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/releases/.
2.13.19 (unreleased) 2.13.19 (unreleased)
-------------------- --------------------
- LP #930812: Scrub headers a bit more.
- Updated distributions: - Updated distributions:
- tempstorage = 2.12.2 - tempstorage = 2.12.2
......
...@@ -128,7 +128,7 @@ otherTypes = os.environ.get('DONT_GZIP_MAJOR_MIME_TYPES','').lower() ...@@ -128,7 +128,7 @@ otherTypes = os.environ.get('DONT_GZIP_MAJOR_MIME_TYPES','').lower()
if otherTypes: if otherTypes:
uncompressableMimeMajorTypes += tuple(otherTypes.split(',')) uncompressableMimeMajorTypes += tuple(otherTypes.split(','))
_CRLF = re.compile(r'\r[\n]?') _CRLF = re.compile(r'[\r\n]')
def _scrubHeader(name, value): def _scrubHeader(name, value):
return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value))) return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))
......
...@@ -431,6 +431,15 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -431,6 +431,15 @@ class HTTPResponseTests(unittest.TestCase):
('Set-Cookie', ('Set-Cookie',
'violation="http://www.ietf.org/rfc/rfc2616.txt"')]) 'violation="http://www.ietf.org/rfc/rfc2616.txt"')])
def test_setHeader_drops_LF(self):
# Some browsers accept \n in place of \n\r to separate headers,
# so we scrub it too.
response = self._makeOne()
response.setHeader('Location',
'http://www.ietf.org/rfc/\nrfc2616.txt')
self.assertEqual(response.headers['location'],
'http://www.ietf.org/rfc/rfc2616.txt')
def test_appendHeader_no_existing(self): def test_appendHeader_no_existing(self):
response = self._makeOne() response = self._makeOne()
response.appendHeader('foo', 'foo') response.appendHeader('foo', 'foo')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment