Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas. (864b7813) · Commits · Dom Sekotill / django

django/http/init.py

+5 −0

Original line number	Diff line number	Diff line
		@@ -263,6 +263,9 @@ def parse_cookie(cookie):
		cookiedict[key] = c.get(key).value
		return cookiedict

		class BadHeaderError(ValueError):
		pass

		class HttpResponse(object):
		"""A basic HTTP response, with content and dictionary-accessed headers."""

		@@ -301,6 +304,8 @@ class HttpResponse(object):
		def _convert_to_ascii(self, *values):
		"""Converts all values to ascii strings."""
		for value in values:
		if '\n' in value or '\r' in value:
		raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
		if isinstance(value, unicode):
		try:
		yield value.encode('us-ascii')

+5 −0

Original line number	Diff line number	Diff line
		@@ -444,6 +444,11 @@ To set a header in your response, just treat it like a dictionary::
		>>> response = HttpResponse()
		>>> response['Pragma'] = 'no-cache'

		.. versionadded:: 1.1

		HTTP headers cannot contain newlines. An attempt to set a header containing a
		newline character (CR or LF) will raise ``BadHeaderError``

		Telling the browser to treat the response as a file attachment
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+11 −0

Original line number	Diff line number	Diff line
		@@ -444,6 +444,17 @@ Traceback (most recent call last):
		...
		UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format

		# Bug #10188: Do not allow newlines in headers (CR or LF)
		>>> r['test\\rstr'] = 'test'
		Traceback (most recent call last):
		...
		BadHeaderError: Header values can't contain newlines (got 'test\\rstr')

		>>> r['test\\nstr'] = 'test'
		Traceback (most recent call last):
		...
		BadHeaderError: Header values can't contain newlines (got 'test\\nstr')

		#
		# Regression test for #8278: QueryDict.update(QueryDict)
		#