LP #930812: Scrub headers a bit more.

doc/CHANGES.rst

@@ -8,6 +8,7 @@ http://docs.zope.org/zope2/releases/.
 2.12.26 (unreleased)
 --------------------
 
+- LP #930812: Scrub headers a bit more.
 
 2.12.25 (2012-09-18)
 --------------------
@@ -15,7 +16,6 @@ http://docs.zope.org/zope2/releases/.
 - Explicitly declared ZTUtils APIs as public (repairs breakages in apps
   following fix for LP #1047318).
 
-
 2.12.24 (2012-09-09)
 --------------------
 

src/ZPublisher/HTTPResponse.py

@@ -125,7 +125,7 @@ otherTypes = os.environ.get('DONT_GZIP_MAJOR_MIME_TYPES','').lower()
 if otherTypes:
     uncompressableMimeMajorTypes += tuple(otherTypes.split(','))
 
-_CRLF = re.compile(r'\r[\n]?')
+_CRLF = re.compile(r'[\r\n]')
 
 def _scrubHeader(name, value):
     return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))

src/ZPublisher/tests/testHTTPResponse.py

@@ -303,6 +303,15 @@ class HTTPResponseTests(unittest.TestCase):
                 'Set-Cookie: '
                 'violation="http://www.ietf.org/rfc/rfc2616.txt"\r\n')
 
+    def test_setHeader_drops_LF(self):
+        # Some browsers accept \n in place of \n\r to separate headers,
+        # so we scrub it too.
+        response = self._makeOne()
+        response.setHeader('Location',
+                           'http://www.ietf.org/rfc/\nrfc2616.txt')
+        self.assertEqual(response.headers['location'],
+                         'http://www.ietf.org/rfc/rfc2616.txt')
+
     def test_setBody_compression_vary(self):
         # Vary header should be added here
         response = self._makeOne()