Skip to content

Commit

Permalink
Fix reponse header sanitization.
Browse files Browse the repository at this point in the history
  • Loading branch information
@bdarnell
bdarnell committed Apr 24, 2012
1 parent 15798a1 commit 1ae91f6
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
15 changes: 15 additions & 0 deletions tornado/test/web_test.py
View file
Expand Up @@ -335,6 +335,16 @@ def get(self):
raise Exception("didn't get permanent or status arguments")


class HeaderInjectionHandler(RequestHandler):
def get(self):
try:
self.set_header("X-Foo", "foo\r\nX-Bar: baz")
raise Exception("Didn't get expected exception")
except ValueError, e:
assert "Unsafe header value" in str(e)
self.finish(b("ok"))


class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
def get_app(self):
loader = DictLoader({
Expand All @@ -359,6 +369,7 @@ def get_app(self):
url("/flow_control", FlowControlHandler),
url("/multi_header", MultiHeaderHandler),
url("/redirect", RedirectHandler),
url("/header_injection", HeaderInjectionHandler),
]
return Application(urls,
template_loader=loader,
Expand Down Expand Up @@ -452,6 +463,10 @@ def test_redirect(self):
response = self.fetch("/redirect?status=307", follow_redirects=False)
self.assertEqual(response.code, 307)

def test_header_injection(self):
response = self.fetch("/header_injection")
self.assertEqual(response.body, b("ok"))


class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase):
def get_app(self):
Expand Down
2 changes: 1 addition & 1 deletion tornado/web.py
View file
Expand Up @@ -275,7 +275,7 @@ def _convert_header_value(self, value):
# If \n is allowed into the header, it is possible to inject
# additional headers or split the request. Also cap length to
# prevent obviously erroneous values.
if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
raise ValueError("Unsafe header value %r", value)
return value

Expand Down

0 comments on commit 1ae91f6

Please sign in to comment.