Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gevent
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gevent
Commits
8ed2f2b6
Commit
8ed2f2b6
authored
Jul 06, 2016
by
Jason Madden
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Strip incoming headers that contain an underscore. Fixes #819.
parent
ff5ca13b
Changes
23
Show whitespace changes
Inline
Side-by-side
Showing
23 changed files
with
45 additions
and
23 deletions
+45
-23
changelog.rst
changelog.rst
+2
-0
src/gevent/pywsgi.py
src/gevent/pywsgi.py
+8
-3
src/greentest/_six.py
src/greentest/_six.py
+0
-0
src/greentest/greentest.py
src/greentest/greentest.py
+1
-1
src/greentest/test__all__.py
src/greentest/test__all__.py
+1
-1
src/greentest/test__backdoor.py
src/greentest/test__backdoor.py
+1
-1
src/greentest/test__event.py
src/greentest/test__event.py
+1
-1
src/greentest/test__exc_info.py
src/greentest/test__exc_info.py
+1
-1
src/greentest/test__execmodules.py
src/greentest/test__execmodules.py
+1
-1
src/greentest/test__order.py
src/greentest/test__order.py
+1
-1
src/greentest/test__os.py
src/greentest/test__os.py
+1
-1
src/greentest/test__pool.py
src/greentest/test__pool.py
+1
-1
src/greentest/test__pywsgi.py
src/greentest/test__pywsgi.py
+15
-0
src/greentest/test__select.py
src/greentest/test__select.py
+1
-1
src/greentest/test__socket.py
src/greentest/test__socket.py
+1
-1
src/greentest/test__socket_dns.py
src/greentest/test__socket_dns.py
+2
-2
src/greentest/test__subprocess_interrupted.py
src/greentest/test__subprocess_interrupted.py
+1
-1
src/greentest/test__threadpool.py
src/greentest/test__threadpool.py
+1
-1
src/greentest/test_hub_join_timeout.py
src/greentest/test_hub_join_timeout.py
+1
-1
src/greentest/test_queue.py
src/greentest/test_queue.py
+1
-1
src/greentest/test_threading_2.py
src/greentest/test_threading_2.py
+1
-1
src/greentest/testrunner.py
src/greentest/testrunner.py
+1
-1
src/greentest/util.py
src/greentest/util.py
+1
-1
No files found.
changelog.rst
View file @
8ed2f2b6
...
@@ -46,6 +46,8 @@ Security
...
@@ -46,6 +46,8 @@ Security
``start_response`` do not contain a carriage return or newline in
``start_response`` do not contain a carriage return or newline in
order to prevent HTTP response splitting (header injection), raising
order to prevent HTTP response splitting (header injection), raising
a :exc:`ValueError` if they do. See :issue:`775`.
a :exc:`ValueError` if they do. See :issue:`775`.
- Incoming headers containing an underscore are no longer placed in
the WSGI environ. See :issue:`819`.
- Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no
- Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no
longer print the entire WSGI environment by default. This avoids
longer print the entire WSGI environment by default. This avoids
possible information disclosure vulnerabilities. Applications can
possible information disclosure vulnerabilities. Applications can
...
...
src/gevent/pywsgi.py
View file @
8ed2f2b6
...
@@ -1010,18 +1010,23 @@ class WSGIHandler(object):
...
@@ -1010,18 +1010,23 @@ class WSGIHandler(object):
def
_headers
(
self
):
def
_headers
(
self
):
key
=
None
key
=
None
value
=
None
value
=
None
IGNORED_KEYS
=
(
None
,
'CONTENT_TYPE'
,
'CONTENT_LENGTH'
)
for
header
in
self
.
headers
.
headers
:
for
header
in
self
.
headers
.
headers
:
if
key
is
not
None
and
header
[:
1
]
in
"
\
t
"
:
if
key
is
not
None
and
header
[:
1
]
in
"
\
t
"
:
value
+=
header
value
+=
header
continue
continue
if
key
not
in
(
None
,
'CONTENT_TYPE'
,
'CONTENT_LENGTH'
)
:
if
key
not
in
IGNORED_KEYS
:
yield
'HTTP_'
+
key
,
value
.
strip
()
yield
'HTTP_'
+
key
,
value
.
strip
()
key
,
value
=
header
.
split
(
':'
,
1
)
key
,
value
=
header
.
split
(
':'
,
1
)
if
'_'
in
key
:
# strip incoming bad veaders
key
=
None
else
:
key
=
key
.
replace
(
'-'
,
'_'
).
upper
()
key
=
key
.
replace
(
'-'
,
'_'
).
upper
()
if
key
not
in
(
None
,
'CONTENT_TYPE'
,
'CONTENT_LENGTH'
)
:
if
key
not
in
IGNORED_KEYS
:
yield
'HTTP_'
+
key
,
value
.
strip
()
yield
'HTTP_'
+
key
,
value
.
strip
()
def
get_environ
(
self
):
def
get_environ
(
self
):
...
...
src/greentest/six.py
→
src/greentest/
_
six.py
View file @
8ed2f2b6
File moved
src/greentest/greentest.py
View file @
8ed2f2b6
...
@@ -36,7 +36,7 @@ from gevent.hub import _get_hub
...
@@ -36,7 +36,7 @@ from gevent.hub import _get_hub
from
functools
import
wraps
from
functools
import
wraps
import
contextlib
import
contextlib
import
gc
import
gc
import
six
import
_six
as
six
PYPY
=
hasattr
(
sys
,
'pypy_version_info'
)
PYPY
=
hasattr
(
sys
,
'pypy_version_info'
)
...
...
src/greentest/test__all__.py
View file @
8ed2f2b6
"""Check __all__, __implements__, __extensions__, __imports__ of the modules"""
"""Check __all__, __implements__, __extensions__, __imports__ of the modules"""
from
__future__
import
print_function
from
__future__
import
print_function
import
six
import
_six
as
six
import
sys
import
sys
import
unittest
import
unittest
import
types
import
types
...
...
src/greentest/test__backdoor.py
View file @
8ed2f2b6
...
@@ -2,7 +2,7 @@ import greentest
...
@@ -2,7 +2,7 @@ import greentest
import
gevent
import
gevent
from
gevent
import
socket
from
gevent
import
socket
from
gevent
import
backdoor
from
gevent
import
backdoor
from
six
import
xrange
from
_
six
import
xrange
def
read_until
(
conn
,
postfix
):
def
read_until
(
conn
,
postfix
):
...
...
src/greentest/test__event.py
View file @
8ed2f2b6
import
greentest
import
greentest
import
gevent
import
gevent
from
gevent.event
import
Event
,
AsyncResult
from
gevent.event
import
Event
,
AsyncResult
from
six
import
xrange
from
_
six
import
xrange
DELAY
=
0.01
DELAY
=
0.01
...
...
src/greentest/test__exc_info.py
View file @
8ed2f2b6
import
gevent
import
gevent
import
sys
import
sys
import
greentest
import
greentest
import
six
import
_six
as
six
if
not
six
.
PY3
:
if
not
six
.
PY3
:
sys
.
exc_clear
()
sys
.
exc_clear
()
...
...
src/greentest/test__execmodules.py
View file @
8ed2f2b6
from
greentest
import
walk_modules
,
BaseTestCase
,
main
,
NON_APPLICABLE_SUFFIXES
from
greentest
import
walk_modules
,
BaseTestCase
,
main
,
NON_APPLICABLE_SUFFIXES
import
six
import
_six
as
six
class
TestExec
(
BaseTestCase
):
class
TestExec
(
BaseTestCase
):
...
...
src/greentest/test__order.py
View file @
8ed2f2b6
import
gevent
import
gevent
import
greentest
import
greentest
from
six
import
xrange
from
_
six
import
xrange
class
appender
(
object
):
class
appender
(
object
):
...
...
src/greentest/test__os.py
View file @
8ed2f2b6
import
sys
import
sys
import
six
import
_six
as
six
from
os
import
pipe
from
os
import
pipe
from
gevent
import
os
from
gevent
import
os
from
greentest
import
TestCase
,
main
from
greentest
import
TestCase
,
main
...
...
src/greentest/test__pool.py
View file @
8ed2f2b6
...
@@ -6,7 +6,7 @@ from gevent.queue import Queue
...
@@ -6,7 +6,7 @@ from gevent.queue import Queue
import
greentest
import
greentest
import
random
import
random
from
greentest
import
ExpectedException
from
greentest
import
ExpectedException
import
six
import
_six
as
six
import
unittest
import
unittest
...
...
src/greentest/test__pywsgi.py
View file @
8ed2f2b6
...
@@ -1363,6 +1363,21 @@ class TestInvalidEnviron(TestCase):
...
@@ -1363,6 +1363,21 @@ class TestInvalidEnviron(TestCase):
read_http
(
fd
)
read_http
(
fd
)
class
TestInvalidHeadersDropped
(
TestCase
):
validator
=
None
# check that invalid headers with a _ are dropped
def
application
(
self
,
environ
,
start_response
):
self
.
assertNotIn
(
'HTTP_X_AUTH_USER'
,
environ
)
start_response
(
'200 OK'
,
[])
return
[]
def
test
(
self
):
fd
=
self
.
makefile
()
fd
.
write
(
'GET / HTTP/1.0
\
r
\
n
x-auth_user: bob
\
r
\
n
\
r
\
n
'
)
read_http
(
fd
)
class
Handler
(
pywsgi
.
WSGIHandler
):
class
Handler
(
pywsgi
.
WSGIHandler
):
def
read_requestline
(
self
):
def
read_requestline
(
self
):
...
...
src/greentest/test__select.py
View file @
8ed2f2b6
import
six
import
_six
as
six
import
sys
import
sys
import
os
import
os
import
errno
import
errno
...
...
src/greentest/test__socket.py
View file @
8ed2f2b6
...
@@ -7,7 +7,7 @@ import traceback
...
@@ -7,7 +7,7 @@ import traceback
import
time
import
time
import
greentest
import
greentest
from
functools
import
wraps
from
functools
import
wraps
import
six
import
_six
as
six
# we use threading on purpose so that we can test both regular and gevent sockets with the same code
# we use threading on purpose so that we can test both regular and gevent sockets with the same code
from
threading
import
Thread
as
_Thread
from
threading
import
Thread
as
_Thread
...
...
src/greentest/test__socket_dns.py
View file @
8ed2f2b6
#!/usr/bin/python
#!/usr/bin/python
# -*- coding: utf-8 -*-
# -*- coding: utf-8 -*-
import
six
import
_six
as
six
import
re
import
re
import
greentest
import
greentest
import
socket
import
socket
...
@@ -8,7 +8,7 @@ from time import time
...
@@ -8,7 +8,7 @@ from time import time
import
gevent
import
gevent
import
gevent.socket
as
gevent_socket
import
gevent.socket
as
gevent_socket
from
util
import
log
from
util
import
log
from
six
import
xrange
from
_
six
import
xrange
resolver
=
gevent
.
get_hub
().
resolver
resolver
=
gevent
.
get_hub
().
resolver
...
...
src/greentest/test__subprocess_interrupted.py
View file @
8ed2f2b6
import
sys
import
sys
from
six
import
xrange
from
_
six
import
xrange
if
'runtestcase'
in
sys
.
argv
[
1
:]:
if
'runtestcase'
in
sys
.
argv
[
1
:]:
...
...
src/greentest/test__threadpool.py
View file @
8ed2f2b6
...
@@ -7,7 +7,7 @@ import gevent.threadpool
...
@@ -7,7 +7,7 @@ import gevent.threadpool
from
gevent.threadpool
import
ThreadPool
from
gevent.threadpool
import
ThreadPool
import
gevent
import
gevent
from
greentest
import
ExpectedException
from
greentest
import
ExpectedException
import
six
import
_six
as
six
import
gc
import
gc
...
...
src/greentest/test_hub_join_timeout.py
View file @
8ed2f2b6
...
@@ -2,7 +2,7 @@ from contextlib import contextmanager
...
@@ -2,7 +2,7 @@ from contextlib import contextmanager
import
gevent
import
gevent
from
gevent.event
import
Event
from
gevent.event
import
Event
from
time
import
time
from
time
import
time
from
six
import
xrange
from
_
six
import
xrange
SMALL
=
0.1
SMALL
=
0.1
...
...
src/greentest/test_queue.py
View file @
8ed2f2b6
...
@@ -9,7 +9,7 @@ try:
...
@@ -9,7 +9,7 @@ try:
from
test
import
support
as
test_support
from
test
import
support
as
test_support
except
ImportError
:
except
ImportError
:
from
test
import
test_support
from
test
import
test_support
from
six
import
xrange
from
_
six
import
xrange
QUEUE_SIZE
=
5
QUEUE_SIZE
=
5
...
...
src/greentest/test_threading_2.py
View file @
8ed2f2b6
# testing gevent's Event, Lock, RLock, Semaphore, BoundedSemaphore with standard test_threading
# testing gevent's Event, Lock, RLock, Semaphore, BoundedSemaphore with standard test_threading
from
__future__
import
print_function
from
__future__
import
print_function
from
six
import
xrange
from
_
six
import
xrange
setup_
=
'''from gevent import monkey; monkey.patch_all()
setup_
=
'''from gevent import monkey; monkey.patch_all()
from gevent.event import Event
from gevent.event import Event
...
...
src/greentest/testrunner.py
View file @
8ed2f2b6
#!/usr/bin/env python
#!/usr/bin/env python
from
__future__
import
print_function
from
__future__
import
print_function
import
six
import
_six
as
six
import
sys
import
sys
import
os
import
os
import
glob
import
glob
...
...
src/greentest/util.py
View file @
8ed2f2b6
import
sys
import
sys
import
os
import
os
import
six
import
_six
as
six
import
traceback
import
traceback
import
unittest
import
unittest
import
threading
import
threading
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment