[CalendarServer-changes] [5629] CalendarServer/trunk/twext/web2
source_changes at macosforge.org
source_changes at macosforge.org
Wed May 19 22:53:48 PDT 2010
Revision: 5629
http://trac.macosforge.org/projects/calendarserver/changeset/5629
Author: glyph at apple.com
Date: 2010-05-19 22:53:46 -0700 (Wed, 19 May 2010)
Log Message:
-----------
Reject non-ASCII HTTP headers with BAD_REQUEST.
Modified Paths:
--------------
CalendarServer/trunk/twext/web2/channel/http.py
CalendarServer/trunk/twext/web2/test/test_http.py
Modified: CalendarServer/trunk/twext/web2/channel/http.py
===================================================================
--- CalendarServer/trunk/twext/web2/channel/http.py 2010-05-19 22:29:03 UTC (rev 5628)
+++ CalendarServer/trunk/twext/web2/channel/http.py 2010-05-20 05:53:46 UTC (rev 5629)
@@ -253,19 +253,27 @@
channel.setLineMode(extraneous)
+
def headerReceived(self, line):
- """Store this header away. Check for too much header data
- (> channel.maxHeaderLength) and abort the connection if so.
"""
+ Store this header away. Check for too much header data (>
+ channel.maxHeaderLength) and non-ASCII characters; abort the
+ connection with C{BAD_REQUEST} if so.
+ """
nameval = line.split(':', 1)
if len(nameval) != 2:
self._abortWithError(responsecode.BAD_REQUEST, "No ':' in header.")
-
name, val = nameval
+ for field in name, val:
+ try:
+ field.decode('ascii')
+ except UnicodeDecodeError:
+ self._abortWithError(responsecode.BAD_REQUEST,
+ "Headers must be ASCII")
val = val.lstrip(' \t')
self.inHeaders.addRawHeader(name, val)
-
+
def allHeadersReceived(self):
# Split off connection-related headers
connHeaders = self.splitConnectionHeaders()
Modified: CalendarServer/trunk/twext/web2/test/test_http.py
===================================================================
--- CalendarServer/trunk/twext/web2/test/test_http.py 2010-05-19 22:29:03 UTC (rev 5628)
+++ CalendarServer/trunk/twext/web2/test/test_http.py 2010-05-20 05:53:46 UTC (rev 5629)
@@ -919,6 +919,21 @@
self.checkError(cxn, 400)
+
+ def test_nonAsciiHeader(self):
+ """
+ As per U{RFC 822 section 3,
+ <http://www.w3.org/Protocols/rfc822/3_Lexical.html#z0>}, headers are
+ ASCII only.
+ """
+ cxn = self.connect()
+ cxn.client.write("GET / HTTP/1.1\r\nX-Extra-Header: \xff\r\n\r\n")
+ self.checkError(cxn, responsecode.BAD_REQUEST)
+ cxn = self.connect()
+ cxn.client.write("GET / HTTP/1.1\r\nX-E\xfftra-Header: foo\r\n\r\n")
+ self.checkError(cxn, responsecode.BAD_REQUEST)
+
+
def testBadRequest(self):
cxn = self.connect()
cxn.client.write("GET / more HTTP/1.1\r\n")
@@ -1069,11 +1084,11 @@
try:
from twisted.internet import ssl
except ImportError:
- # happens the first time the interpreter tries to import it
- ssl = None
+ # happens the first time the interpreter tries to import it
+ ssl = None
if ssl and not ssl.supported:
- # happens second and later times
- ssl = None
+ # happens second and later times
+ ssl = None
certPath = util.sibpath(__file__, "server.pem")
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100519/70399e42/attachment-0001.html>
More information about the calendarserver-changes
mailing list