Exclude DEL character from header values

https://github.com/tornadoweb/tornado/pull/3451#discussion_r1894148653

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 9c6d750f887a992278bf81a6607431f8eb4d6262..d99a66a408a4c6daad5357d6b5888f76db31dceb 100644 (file)
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -712,6 +712,7 @@ class SetHeaderHandler(RequestHandler):
         # should match the invalid characters from
         # https://www.rfc-editor.org/rfc/rfc9110#name-field-values
         illegal_chars = [chr(o) for o in range(0, 0x20)]
+        illegal_chars.append(chr(0x7f))
         illegal_chars.remove('\t')
         for char in illegal_chars:
             try:

diff --git a/tornado/web.py b/tornado/web.py
index acaae7ded74c0e643e31cfd66295ecebd591cf36..b61195902eddb9eeb757ca4394638b06a0938a96 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -399,7 +399,7 @@ class RequestHandler:
         if name in self._headers:
             del self._headers[name]
 
-    _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x08\x0a-\x1f]")
+    _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x08\x0a-\x1f\x7f]")
 
     def _convert_header_value(self, value: _HeaderTypes) -> str:
         # Convert the input value to a str. This type check is a bit