Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore invalid mime wildcards in MIMEAccept #83

Merged
merged 1 commit into from
Nov 9, 2012
Merged

Ignore invalid mime wildcards in MIMEAccept #83

merged 1 commit into from
Nov 9, 2012

Conversation

rfk
Copy link
Contributor

@rfk rfk commented Nov 9, 2012

The current implementation of MIMEAccept will happily parse malformed wildcard strings like "image/pn*" at parse time, but then trigger an AssertionError during matching:

>>> m = MIMEAccept("image/pn*")
>>> m.best_match(["image/png"])
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "webob/acceptparse.py", line 176, in best_match
    if self._match(mask, offer):
  File "webob/acceptparse.py", line 305, in _match
    assert mask.endswith('/*')
AssertionError
>>>

This patch changes MIMEAccept.parse to filter out these invalid values so that client-provided data cannot trigger an assertion.

@rfk
Copy link
Contributor Author

rfk commented Nov 9, 2012

Also worth noting that we've seen this occasionally in the wild, with user-agents apparently sending an invalid Accept header:

https://bugzilla.mozilla.org/show_bug.cgi?id=735604

@mcdonc mcdonc merged commit 3c7f68b into Pylons:master Nov 9, 2012
@mcdonc
Copy link
Member

mcdonc commented Nov 9, 2012

Thank you!

mamash pushed a commit to TritonDataCenter/pkgsrc-wip that referenced this pull request Aug 20, 2014
1.4 (2013-05-14)
----------------

Features
~~~~~~~~

- Remove ``webob.__version__``, the version number had not been kept in sync
  with the official pkg version.  To obtain the WebOb version number, use
  ``pkg_resources.get_distribution('webob').version`` instead.

Bug Fixes
~~~~~~~~~

- Fix a bug in ``EmptyResponse`` that prevents it from setting self.close as
  appropriate due to testing truthiness of object rather than if it is
  something other than ``None``.

- Fix a bug in ``SignedSerializer`` preventing secrets from containing
  higher-order characters. See Pylons/webob#136

- Use the ``hmac.compare_digest`` method when available for constant-time
  comparisons.

1.3.1 (2013-12-13)
------------------

Bug Fixes
~~~~~~~~~

- Fix a bug in ``SignedCookieProfile`` whereby we didn't keep the original
  serializer around, this would cause us to have ``SignedSerializer`` be added on
  top of a ``SignedSerializer`` which would cause it to be run twice when
  attempting to verify a cookie.  See Pylons/webob#127

Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- When ``CookieProfile.get_value`` and ``SignedCookieProfile.get_value`` fails
  to deserialize a badly encoded value, we now return ``None`` as if the cookie
  was never set in the first place instead of allowing a ``ValueError`` to be
  raised to the calling code.  See Pylons/webob#126

1.3 (2013-12-10)
----------------

Features
~~~~~~~~

- Added a read-only ``domain`` property to ``BaseRequest``.  This property
  returns the domain portion of the host value.  For example, if the
  environment contains an ``HTTP_HOST`` value of ``foo.example.com:8000``,
  ``request.domain`` will return ``foo.example.com``.

- Added five new APIs: ``webob.cookies.CookieProfile``,
  ``webob.cookies.SignedCookieProfile``, ``webob.cookies.JSONSerializer`` and
  ``webob.cookies.SignedSerializer``, and ``webob.cookies.make_cookie``.  These
  APIs are convenience APIs for generating and parsing cookie headers as well
  as dealing with signing cookies.

- Cookies generated via webob.cookies quoted characters in cookie values that
  did not need to be quoted per RFC 6265.  The following characters are no
  longer quoted in cookie values: ``~/=<>()[]{}?@`` .  The full set of
  non-letter-or-digit unquoted cookie value characters is now
  ``!#$%&'*+-.^_`|~/: =<>()[]{}?@``.  See
  http://tools.ietf.org/html/rfc6265#section-4.1.1 for more information.

- Cookie names are now restricted to the set of characters expected by RFC
  6265.  Previously they could contain unsupported characters such as ``/``.

- Older versions of Webob escaped the doublequote to ``\"`` and the backslash
  to ``\\`` when quoting cookie values.  Now, instead, cookie serialization
  generates ``\042`` for the doublequote and ``\134`` for the backslash. This
  is what is expected as per RFC 6265.  Note that old cookie values that do
  have the older style quoting in them will still be unquoted correctly,
  however.

- Added support for draft status code 451 ("Unavailable for Legal Reasons").
  See http://tools.ietf.org/html/draft-tbray-http-legally-restricted-status-00

- Added status codes 428, 429, 431 and 511 to ``util.status_reasons`` (they
  were already present in a previous release as ``webob.exc`` exceptions).

Bug Fixes
~~~~~~~~~

- MIMEAccept happily parsed malformed wildcard strings like "image/pn*" at
  parse time, but then threw an AssertionError during matching.  See
  Pylons/webob#83 .

- Preserve document ordering of GET and POST request data when POST data passed
  to Request.blank is a MultiDict.  See Pylons/webob#96

- Allow query strings attached to PATCH requests to populate request.params.
  See Pylons/webob#106

- Added Python 3.3 trove classifier.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants