From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 24 Apr 2012 04:55:05 +0000 (-0700)
Subject: Fix reponse header sanitization.
X-Git-Tag: v2.2.1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ae91f6d58e6257e0ab49d295d8741ce1727bdb7;p=thirdparty%2Ftornado.git

Fix reponse header sanitization.
---

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 9f4c860eb..5312304f5 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -335,6 +335,16 @@ class RedirectHandler(RequestHandler):
             raise Exception("didn't get permanent or status arguments")
 
 
+class HeaderInjectionHandler(RequestHandler):
+    def get(self):
+        try:
+            self.set_header("X-Foo", "foo\r\nX-Bar: baz")
+            raise Exception("Didn't get expected exception")
+        except ValueError, e:
+            assert "Unsafe header value" in str(e)
+            self.finish(b("ok"))
+
+
 class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
     def get_app(self):
         loader = DictLoader({
@@ -359,6 +369,7 @@ class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
             url("/flow_control", FlowControlHandler),
             url("/multi_header", MultiHeaderHandler),
             url("/redirect", RedirectHandler),
+            url("/header_injection", HeaderInjectionHandler),
             ]
         return Application(urls,
                            template_loader=loader,
@@ -452,6 +463,10 @@ js_embed()
         response = self.fetch("/redirect?status=307", follow_redirects=False)
         self.assertEqual(response.code, 307)
 
+    def test_header_injection(self):
+        response = self.fetch("/header_injection")
+        self.assertEqual(response.body, b("ok"))
+
 
 class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase):
     def get_app(self):
diff --git a/tornado/web.py b/tornado/web.py
index c31eb674b..76392b75c 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -275,7 +275,7 @@ class RequestHandler(object):
         # If \n is allowed into the header, it is possible to inject
         # additional headers or split the request. Also cap length to
         # prevent obviously erroneous values.
-        if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
+        if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
             raise ValueError("Unsafe header value %r", value)
         return value