mirror of https://github.com/django/django.git
Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
a7faf6424a
commit
155ab07a5d
|
@ -263,6 +263,9 @@ def parse_cookie(cookie):
|
||||||
cookiedict[key] = c.get(key).value
|
cookiedict[key] = c.get(key).value
|
||||||
return cookiedict
|
return cookiedict
|
||||||
|
|
||||||
|
class BadHeaderError(ValueError):
|
||||||
|
pass
|
||||||
|
|
||||||
class HttpResponse(object):
|
class HttpResponse(object):
|
||||||
"""A basic HTTP response, with content and dictionary-accessed headers."""
|
"""A basic HTTP response, with content and dictionary-accessed headers."""
|
||||||
|
|
||||||
|
@ -301,6 +304,8 @@ class HttpResponse(object):
|
||||||
def _convert_to_ascii(self, *values):
|
def _convert_to_ascii(self, *values):
|
||||||
"""Converts all values to ascii strings."""
|
"""Converts all values to ascii strings."""
|
||||||
for value in values:
|
for value in values:
|
||||||
|
if '\n' in value or '\r' in value:
|
||||||
|
raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
|
||||||
if isinstance(value, unicode):
|
if isinstance(value, unicode):
|
||||||
try:
|
try:
|
||||||
yield value.encode('us-ascii')
|
yield value.encode('us-ascii')
|
||||||
|
|
|
@ -445,6 +445,11 @@ To set a header in your response, just treat it like a dictionary::
|
||||||
>>> response = HttpResponse()
|
>>> response = HttpResponse()
|
||||||
>>> response['Pragma'] = 'no-cache'
|
>>> response['Pragma'] = 'no-cache'
|
||||||
|
|
||||||
|
.. versionadded:: 1.1
|
||||||
|
|
||||||
|
HTTP headers cannot contain newlines. An attempt to set a header containing a
|
||||||
|
newline character (CR or LF) will raise ``BadHeaderError``
|
||||||
|
|
||||||
Telling the browser to treat the response as a file attachment
|
Telling the browser to treat the response as a file attachment
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
|
@ -444,6 +444,17 @@ Traceback (most recent call last):
|
||||||
...
|
...
|
||||||
UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format
|
UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format
|
||||||
|
|
||||||
|
# Bug #10188: Do not allow newlines in headers (CR or LF)
|
||||||
|
>>> r['test\\rstr'] = 'test'
|
||||||
|
Traceback (most recent call last):
|
||||||
|
...
|
||||||
|
BadHeaderError: Header values can't contain newlines (got 'test\\rstr')
|
||||||
|
|
||||||
|
>>> r['test\\nstr'] = 'test'
|
||||||
|
Traceback (most recent call last):
|
||||||
|
...
|
||||||
|
BadHeaderError: Header values can't contain newlines (got 'test\\nstr')
|
||||||
|
|
||||||
#
|
#
|
||||||
# Regression test for #8278: QueryDict.update(QueryDict)
|
# Regression test for #8278: QueryDict.update(QueryDict)
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue