Merge pull request #278 from gittip/crlfinjection-response

Here's a simpler implemention of #249
AspenWeb · Jan 7, 2014 · dad7abd · dad7abd
2 parents ea3421d + 1af0446
commit dad7abd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/aspen/exceptions.py b/aspen/exceptions.py
@@ -6,13 +6,18 @@
 from __future__ import print_function
 from __future__ import unicode_literals
 
+from aspen import Response
+
 
 class LoadError(Exception):
     """Represent a problem loading a resource.
     """
     # Define this here to avoid import issues when json doesn't exist.
 
 
-class CRLFInjection(Exception):
-    def __str__(self):
-        return "Possible CRLF injection detected."
+class CRLFInjection(Response):
+    """
+    A 400 Response (per #249) raised if there's a suspected CRLF Injection attack in the headers
+    """
+    def __init__(self):
+        Response.__init__(self, code=400, body="Possible CRLF Injection detected.")
diff --git a/aspen/http/baseheaders.py b/aspen/http/baseheaders.py
@@ -6,7 +6,6 @@
 
 from aspen.backcompat import CookieError, SimpleCookie
 
-from aspen.exceptions import CRLFInjection
 from aspen.http.mapping import CaseInsensitiveMapping
 from aspen.utils import typecheck
 
@@ -48,7 +47,8 @@ def __setitem__(self, name, value):
 
         """
         if '\n' in value:
-            raise CRLFInjection
+            from aspen.exceptions import CRLFInjection
+            raise CRLFInjection()
         super(BaseHeaders, self).__setitem__(name, value)