Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #20889 -- Prevented email.Header from inserting newlines

Passed large maxlinelen to email.Header to prevent newlines from being
inserted into value returned by _convert_to_charset

Thanks mjl at laubach.at for the report.
  • Loading branch information...
commit 6dca603abb0eb164ba87657caf5cc65bca449719 1 parent aeed2cf
animan1 animan1 authored timgraham committed
Showing with 9 additions and 1 deletion.
  1. +2 −1  django/http/response.py
  2. +7 −0 tests/httpwrappers/tests.py
3  django/http/response.py
View
@@ -2,6 +2,7 @@
import datetime
import time
+import sys
from email.header import Header
try:
from urllib.parse import urlparse
@@ -160,7 +161,7 @@ def _convert_to_charset(self, value, charset, mime_encode=False):
except UnicodeError as e:
if mime_encode:
# Wrapping in str() is a workaround for #12422 under Python 2.
- value = str(Header(value, 'utf-8').encode())
+ value = str(Header(value, 'utf-8', maxlinelen=sys.maxsize).encode())
else:
e.reason += ', HTTP response headers must be in %s format' % charset
raise
7 tests/httpwrappers/tests.py
View
@@ -290,6 +290,13 @@ def test_headers_type(self):
self.assertRaises(UnicodeError, r.__setitem__, 'føø', 'bar')
self.assertRaises(UnicodeError, r.__setitem__, 'føø'.encode('utf-8'), 'bar')
+ def test_long_line(self):
+ # Bug #20889: long lines trigger newlines to be added to headers
+ # (which is not allowed due to bug #10188)
+ h = HttpResponse()
+ f = 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz a\xcc\x88'.encode('latin-1')
+ f = f.decode('utf-8')
+ h['Content-Disposition'] = u'attachment; filename="%s"' % f
def test_newlines_in_headers(self):
# Bug #10188: Do not allow newlines in headers (CR or LF)

1 comment on commit 6dca603

Tim Graham
Owner

@animan1 - this ticket was reopened. I wonder if you can comment on it?

Please sign in to comment.
Something went wrong with that request. Please try again.