Add error handling for non ascii header keys

sanic-org · Mar 11, 2023 · 04940ef · 04940ef
1 parent a66c71f
commit 04940ef
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/sanic/asgi.py b/sanic/asgi.py
@@ -6,7 +6,7 @@
 from urllib.parse import quote
 
 from sanic.compat import Header
-from sanic.exceptions import ServerError
+from sanic.exceptions import BadRequest, ServerError
 from sanic.helpers import Default
 from sanic.http import Stage
 from sanic.log import error_logger, logger
@@ -132,12 +132,18 @@ async def create(
         instance.response = None
         setattr(instance.transport, "add_task", sanic_app.loop.create_task)
 
-        headers = Header(
-            [
-                (key.decode("ASCII"), value.decode(errors="surrogateescape"))
-                for key, value in scope.get("headers", [])
-            ]
-        )
+        try:
+            headers = Header(
+                [
+                    (
+                        key.decode("ASCII"),
+                        value.decode(errors="surrogateescape"),
+                    )
+                    for key, value in scope.get("headers", [])
+                ]
+            )
+        except UnicodeDecodeError:
+            BadRequest("Header names can only contain US-ASCII characters")
         instance.lifespan = Lifespan(instance)
 
         if scope["type"] == "lifespan":

diff --git a/sanic/http/http3.py b/sanic/http/http3.py
@@ -18,7 +18,12 @@
 
 from sanic.compat import Header
 from sanic.constants import LocalCertCreator
-from sanic.exceptions import PayloadTooLarge, SanicException, ServerError
+from sanic.exceptions import (
+    BadRequest,
+    PayloadTooLarge,
+    SanicException,
+    ServerError,
+)
 from sanic.helpers import has_message_body
 from sanic.http.constants import Stage
 from sanic.http.stream import Stream
@@ -333,7 +338,15 @@ def get_receiver_by_stream_id(self, stream_id: int) -> Receiver:
         return self.receivers[stream_id]
 
     def _make_request(self, event: HeadersReceived) -> Request:
-        headers = Header(((k.decode(), v.decode()) for k, v in event.headers))
+        try:
+            headers = Header(
+                (
+                    (k.decode("ASCII"), v.decode(errors="surrogateescape"))
+                    for k, v in event.headers
+                )
+            )
+        except UnicodeDecodeError:
+            BadRequest("Header names can only contain US-ASCII characters")
         method = headers[":method"]
         path = headers[":path"]
         scheme = headers.pop(":scheme", "")