raise
+class SetHeaderHandler(RequestHandler):
+ def get(self):
+ # tests the validity of web.RequestHandler._INVALID_HEADER_CHAR_RE
+ # should match the invalid characters from
+ # https://www.rfc-editor.org/rfc/rfc9110#name-field-values
+ illegal_chars = [chr(o) for o in range(0, 0x20)]
+ illegal_chars.remove('\t')
+ for char in illegal_chars:
+ try:
+ self.set_header("X-Foo", "foo" + char + "bar")
+ raise Exception("Didn't get expected exception")
+ except ValueError as e:
+ if "Unsafe header value" not in str(e):
+ raise
+ self.finish(b"ok")
+
+
class GetArgumentHandler(RequestHandler):
def prepare(self):
if self.get_argument("source", None) == "query":
url("/header_injection", HeaderInjectionHandler),
url("/get_argument", GetArgumentHandler),
url("/get_arguments", GetArgumentsHandler),
+ url("/set_header", SetHeaderHandler),
]
return urls
response = self.fetch("/header_injection")
self.assertEqual(response.body, b"ok")
+ def test_set_header(self):
+ response = self.fetch("/set_header")
+ self.assertEqual(response.body, b"ok")
+
def test_get_argument(self):
response = self.fetch("/get_argument?foo=bar")
self.assertEqual(response.body, b"bar")
if name in self._headers:
del self._headers[name]
- _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x1f]")
+ _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x08\x0a-\x1f]")
def _convert_header_value(self, value: _HeaderTypes) -> str:
# Convert the input value to a str. This type check is a bit
projects / thirdparty / tornado.git / commitdiff
