simply ignore headers with no name (#19996)

Patch by Cory Benfield.

simply ignore headers with no name (#19996)
Patch by Cory Benfield.
25b8b996 · Benjamin Peterson · d92b00e6 · 25b8b996 · 25b8b996 · 25b8b996
Commit 25b8b996 authored Jan 25, 2015 by Benjamin Peterson
Showing with 30 additions and 1 deletion

Lib/httplib.py Lib/httplib.py +5 -0

Lib/rfc822.py Lib/rfc822.py +6 -1

Lib/test/test_httplib.py Lib/test/test_httplib.py +10 -0

Lib/test/test_rfc822.py Lib/test/test_rfc822.py +6 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -313,6 +313,11 @@ class HTTPMessage(mimetools.Message):
                hlist.append(line)
                self.addheader(headerseen, line[len(headerseen)+1:].strip())
                continue
+            elif headerseen is not None:
+                # An empty header name. These aren't allowed in HTTP, but it's
+                # probably a benign mistake. Don't add the header, just keep
+                # going.
+                continue
            else:
                # It's not a header line; throw it back and stop here.
                if not self.dict:

--- a/Lib/rfc822.py
+++ b/Lib/rfc822.py
@@ -179,6 +179,11 @@ class Message:
                lst.append(line)
                self.dict[headerseen] = line[len(headerseen)+1:].strip()
                continue
+            elif headerseen is not None:
+                # An empty header name. These aren't allowed in HTTP, but it's
+                # probably a benign mistake. Don't add the header, just keep
+                # going.
+                continue
            else:
                # It's not a header line; throw it back and stop here.
                if not self.dict:
@@ -202,7 +207,7 @@ class Message:
        data in RFC 2822-like formats with special header formats.
        """
        i = line.find(':')
-        if i > 0:
+        if i > -1:
            return line[:i].lower()
        return None


--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -164,6 +164,16 @@ class HeaderTests(TestCase):
        conn.request('GET', '/foo')
        self.assertTrue(sock.data.startswith(expected))

+    def test_malformed_headers_coped_with(self):
+        # Issue 19996
+        body = "HTTP/1.1 200 OK\r\nFirst: val\r\n: nval\r\nSecond: val\r\n\r\n"
+        sock = FakeSocket(body)
+        resp = httplib.HTTPResponse(sock)
+        resp.begin()
+
+        self.assertEqual(resp.getheader('First'), 'val')
+        self.assertEqual(resp.getheader('Second'), 'val')
+

 class BasicTest(TestCase):
    def test_status_lines(self):

--- a/Lib/test/test_rfc822.py
+++ b/Lib/test/test_rfc822.py
@@ -248,6 +248,12 @@ A test message.
        eq(rfc822.quote('foo\\wacky"name'), 'foo\\\\wacky\\"name')
        eq(rfc822.unquote('"foo\\\\wacky\\"name"'), 'foo\\wacky"name')

+    def test_invalid_headers(self):
+        eq = self.assertEqual
+        msg = self.create_message("First: val\n: otherval\nSecond: val2\n")
+        eq(msg.getheader('First'), 'val')
+        eq(msg.getheader('Second'), 'val2')
+

 def test_main():
    test_support.run_unittest(MessageTestCase)

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -15,6 +15,9 @@ Core and Builtins
 Library
 -------

+- Issue #19996: Make :mod:`httplib` ignore headers with no name rather than
+  assuming the body has started.
+
 - Issue #20188: Support Application-Layer Protocol Negotiation (ALPN) in the ssl
  module.