Permalink
Browse files

Fail with HTTP 400 for invalid headers

Test malformed Accept-Charset quality values.

Fixes #1370
Closes #1707

Co-authored-by: Zach Seils (seils) <seils@cisco.com>
Co-authored-by: Zach Seils <zachseils@gmail.com>
  • Loading branch information...
3 people committed May 28, 2018
1 parent 841f795 commit 38f199ce4e89d38f8a0484fd7a7f7e85ba4f110a
Showing with 21 additions and 1 deletion.
  1. +16 −1 cherrypy/lib/httputil.py
  2. +5 −0 cherrypy/test/test_encoding.py
@@ -18,6 +18,7 @@
from six.moves import range, builtins
from six.moves.BaseHTTPServer import BaseHTTPRequestHandler
import cherrypy
from cherrypy._cpcompat import ntob, ntou
from cherrypy._cpcompat import text_or_bytes
from cherrypy._cpcompat import unquote_qs
@@ -202,7 +203,21 @@ def qvalue(self):
val = self.params.get('q', '1')
if isinstance(val, HeaderElement):
val = val.value
return float(val)
try:
return float(val)
except ValueError as val_err:
"""Fail client requests with invalid quality value.
Ref: https://github.com/cherrypy/cherrypy/issues/1370
"""
six.raise_from(
cherrypy.HTTPError(
400,
'Malformed HTTP header: `{}`'.
format(str(self)),
),
val_err,
)
def __cmp__(self, other):
diff = builtins.cmp(self.qvalue, other.qvalue)
@@ -360,6 +360,11 @@ def testEncoding(self):
self.getPage('/utf8', [('Accept-Charset', 'us-ascii, ISO-8859-1')])
self.assertStatus('406 Not Acceptable')
# Test malformed quality value, which should raise 400.
self.getPage('/mao_zedong', [('Accept-Charset',
'ISO-8859-1,utf-8;q=0.7,*;q=0.7)')])
self.assertStatus('400 Bad Request')
def testGzip(self):
zbuf = io.BytesIO()
zfile = gzip.GzipFile(mode='wb', fileobj=zbuf, compresslevel=9)

0 comments on commit 38f199c

Please sign in to comment.