Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@10709 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 864b78135a61e33e4433c95fd760d04ed8fe4c50 1 parent 7935231
Jacob Kaplan-Moss authored May 08, 2009
5  django/http/__init__.py
@@ -263,6 +263,9 @@ def parse_cookie(cookie):
263 263
         cookiedict[key] = c.get(key).value
264 264
     return cookiedict
265 265
 
  266
+class BadHeaderError(ValueError):
  267
+    pass
  268
+
266 269
 class HttpResponse(object):
267 270
     """A basic HTTP response, with content and dictionary-accessed headers."""
268 271
 
@@ -301,6 +304,8 @@ def __str__(self):
301 304
     def _convert_to_ascii(self, *values):
302 305
         """Converts all values to ascii strings."""
303 306
         for value in values:
  307
+            if '\n' in value or '\r' in value:
  308
+                raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
304 309
             if isinstance(value, unicode):
305 310
                 try:
306 311
                     yield value.encode('us-ascii')
5  docs/ref/request-response.txt
@@ -444,6 +444,11 @@ To set a header in your response, just treat it like a dictionary::
444 444
     >>> response = HttpResponse()
445 445
     >>> response['Pragma'] = 'no-cache'
446 446
 
  447
+.. versionadded:: 1.1
  448
+
  449
+HTTP headers cannot contain newlines. An attempt to set a header containing a
  450
+newline character (CR or LF) will raise ``BadHeaderError``
  451
+
447 452
 Telling the browser to treat the response as a file attachment
448 453
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
449 454
 
11  tests/regressiontests/httpwrappers/tests.py
@@ -444,6 +444,17 @@
444 444
 ...
445 445
 UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format
446 446
 
  447
+# Bug #10188: Do not allow newlines in headers (CR or LF)
  448
+>>> r['test\\rstr'] = 'test'
  449
+Traceback (most recent call last):
  450
+...
  451
+BadHeaderError: Header values can't contain newlines (got 'test\\rstr')
  452
+
  453
+>>> r['test\\nstr'] = 'test'
  454
+Traceback (most recent call last):
  455
+...
  456
+BadHeaderError: Header values can't contain newlines (got 'test\\nstr')
  457
+
447 458
 #
448 459
 # Regression test for #8278: QueryDict.update(QueryDict)
449 460
 #

0 notes on commit 864b781

Please sign in to comment.
Something went wrong with that request. Please try again.