Commit 09b8af0a authored by Tres Seaver's avatar Tres Seaver

Ensure that response header values cannot embed CRLF pairs, which violate the

HTTP spec (RFC 2616).
parent 5e28d89b
......@@ -8,6 +8,9 @@ Zope Changes
Bugs fixed
- Ensure that response header values cannot embed CRLF pairs, which
violate the HTTP spec (RFC 2616).
- Launchpad #282677: fixed implementation of guarded_map and
provided tests and implementation for guarded_zip
(RestrictedPython).
......
......@@ -122,6 +122,10 @@ otherTypes = os.environ.get('DONT_GZIP_MAJOR_MIME_TYPES','').lower()
if otherTypes:
uncompressableMimeMajorTypes += tuple(otherTypes.split(','))
_CRLF = re.compile(r'\r[\n]?')
def _scrubHeader(name, value):
return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))
class HTTPResponse(BaseResponse):
"""\
......@@ -248,8 +252,7 @@ class HTTPResponse(BaseResponse):
the previous value set for the header, if one exists. If the
literal flag is true, the case of the header name is preserved,
otherwise the header name will be lowercased.'''
name = str(name)
value = str(value)
name, value = _scrubHeader(name, value)
key = name.lower()
if accumulate_header(key):
self.accumulated_headers = (
......@@ -274,8 +277,7 @@ class HTTPResponse(BaseResponse):
'''\
Set a new HTTP return header with the given value, while retaining
any previously set headers with the same name.'''
name = str(name)
value = str(value)
name, value = _scrubHeader(name, value)
self.accumulated_headers = (
"%s%s: %s\n" % (self.accumulated_headers, name, value))
......@@ -585,8 +587,8 @@ class HTTPResponse(BaseResponse):
Sets an HTTP return header "name" with value "value",
appending it following a comma if there was a previous value
set for the header. '''
name = str(name).lower()
value = str(value)
name, value = _scrubHeader(name, value)
name = name.lower()
headers = self.headers
if headers.has_key(name):
......
......@@ -145,6 +145,40 @@ class HTTPResponseTests(unittest.TestCase):
response = self._makeOne(body=xml, headers={'content-type': 'text/xml; charset=iso-8859-15'})
self.assertEqual(xml==response.body, True)
def test_addHeader_drops_CRLF(self):
# RFC2616 disallows CRLF in a header value.
response = self._makeOne()
response.addHeader('Location',
'http://www.ietf.org/rfc/\r\nrfc2616.txt')
self.assertEqual(response.accumulated_headers,
'Location: http://www.ietf.org/rfc/rfc2616.txt\n')
def test_appendHeader_drops_CRLF(self):
# RFC2616 disallows CRLF in a header value.
response = self._makeOne()
response.appendHeader('Location',
'http://www.ietf.org/rfc/\r\nrfc2616.txt')
self.assertEqual(response.headers['location'],
'http://www.ietf.org/rfc/rfc2616.txt')
def test_setHeader_drops_CRLF(self):
# RFC2616 disallows CRLF in a header value.
response = self._makeOne()
response.setHeader('Location',
'http://www.ietf.org/rfc/\r\nrfc2616.txt')
self.assertEqual(response.headers['location'],
'http://www.ietf.org/rfc/rfc2616.txt')
def test_setHeader_drops_CRLF_when_accumulating(self):
# RFC2616 disallows CRLF in a header value.
response = self._makeOne()
response.setHeader('Set-Cookie', 'allowed="OK"')
response.setHeader('Set-Cookie',
'violation="http://www.ietf.org/rfc/\r\nrfc2616.txt"')
self.assertEqual(response.accumulated_headers,
'Set-Cookie: allowed="OK"\n' +
'Set-Cookie: violation="http://www.ietf.org/rfc/rfc2616.txt"\n')
def test_suite():
suite = unittest.TestSuite()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment