From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 25 Apr 2025 19:31:13 +0000 (-0400)
Subject: httputil: Reject header lines beginning with invalid whitespace
X-Git-Tag: v6.5.0b1~6^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3488%2Fhead;p=thirdparty%2Ftornado.git

httputil: Reject header lines beginning with invalid whitespace

The obs-fold feature is defined only for tabs and spaces.
The str.isspace() method also accepts other whitespace characters.
These characters are not valid in HTTP headers and should be treated
as errors instead of triggering line folding.

Fixes #3480
---

diff --git a/tornado/httputil.py b/tornado/httputil.py
index 0f443cdd..5d05cacb 100644
--- a/tornado/httputil.py
+++ b/tornado/httputil.py
@@ -248,7 +248,7 @@ class HTTPHeaders(StrMutableMapping):
         if not line:
             # Empty line, or the final CRLF of a header block.
             return
-        if line[0].isspace():
+        if line[0] in HTTP_WHITESPACE:
             # continuation of a multi-line header
             # TODO(7.0): Remove support for line folding.
             if self._last_key is None:
diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
index 53ae4607..221c1dcb 100644
--- a/tornado/test/httputil_test.py
+++ b/tornado/test/httputil_test.py
@@ -287,13 +287,22 @@ Foo: even
             [("Asdf", "qwer zxcv"), ("Foo", "bar baz"), ("Foo", "even more lines")],
         )
 
-    def test_malformed_continuation(self):
+    def test_continuation(self):
+        data = "Foo: bar\r\n\tasdf"
+        headers = HTTPHeaders.parse(data)
+        self.assertEqual(headers["Foo"], "bar asdf")
+
         # If the first line starts with whitespace, it's a
         # continuation line with nothing to continue, so reject it
         # (with a proper error).
         data = " Foo: bar"
         self.assertRaises(HTTPInputError, HTTPHeaders.parse, data)
 
+        # \f (formfeed) is whitespace according to str.isspace, but
+        # not according to the HTTP spec.
+        data = "Foo: bar\r\n\fasdf"
+        self.assertRaises(HTTPInputError, HTTPHeaders.parse, data)
+
     def test_unicode_newlines(self):
         # Ensure that only \r\n is recognized as a header separator, and not
         # the other newline-like unicode characters.