Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@10709 bcc190cf-cafb-0310-a4f2-bffc1f526a37
commit 864b78135a61e33e4433c95fd760d04ed8fe4c50 1 parent 7935231
@jacobian jacobian authored
View
5 django/http/__init__.py
@@ -263,6 +263,9 @@ def parse_cookie(cookie):
cookiedict[key] = c.get(key).value
return cookiedict
+class BadHeaderError(ValueError):
+ pass
+
class HttpResponse(object):
"""A basic HTTP response, with content and dictionary-accessed headers."""
@@ -301,6 +304,8 @@ def __str__(self):
def _convert_to_ascii(self, *values):
"""Converts all values to ascii strings."""
for value in values:
+ if '\n' in value or '\r' in value:
+ raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
if isinstance(value, unicode):
try:
yield value.encode('us-ascii')
View
5 docs/ref/request-response.txt
@@ -444,6 +444,11 @@ To set a header in your response, just treat it like a dictionary::
>>> response = HttpResponse()
>>> response['Pragma'] = 'no-cache'
+.. versionadded:: 1.1
+
+HTTP headers cannot contain newlines. An attempt to set a header containing a
+newline character (CR or LF) will raise ``BadHeaderError``
+
Telling the browser to treat the response as a file attachment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
View
11 tests/regressiontests/httpwrappers/tests.py
@@ -444,6 +444,17 @@
...
UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format
+# Bug #10188: Do not allow newlines in headers (CR or LF)
+>>> r['test\\rstr'] = 'test'
+Traceback (most recent call last):
+...
+BadHeaderError: Header values can't contain newlines (got 'test\\rstr')
+
+>>> r['test\\nstr'] = 'test'
+Traceback (most recent call last):
+...
+BadHeaderError: Header values can't contain newlines (got 'test\\nstr')
+
#
# Regression test for #8278: QueryDict.update(QueryDict)
#
Please sign in to comment.
Something went wrong with that request. Please try again.