raise Exception("didn't get permanent or status arguments")
+class HeaderInjectionHandler(RequestHandler):
+ def get(self):
+ try:
+ self.set_header("X-Foo", "foo\r\nX-Bar: baz")
+ raise Exception("Didn't get expected exception")
+ except ValueError, e:
+ assert "Unsafe header value" in str(e)
+ self.finish(b("ok"))
+
+
class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
def get_app(self):
loader = DictLoader({
url("/flow_control", FlowControlHandler),
url("/multi_header", MultiHeaderHandler),
url("/redirect", RedirectHandler),
+ url("/header_injection", HeaderInjectionHandler),
]
return Application(urls,
template_loader=loader,
response = self.fetch("/redirect?status=307", follow_redirects=False)
self.assertEqual(response.code, 307)
+ def test_header_injection(self):
+ response = self.fetch("/header_injection")
+ self.assertEqual(response.body, b("ok"))
+
class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase):
def get_app(self):
# If \n is allowed into the header, it is possible to inject
# additional headers or split the request. Also cap length to
# prevent obviously erroneous values.
- if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
+ if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
raise ValueError("Unsafe header value %r", value)
return value
projects / thirdparty / tornado.git / commitdiff
