Skip to content

Commit

Permalink
Disallow invalid header characters (#725)
Browse files Browse the repository at this point in the history
* Disallow invalid header characters

* Linting

* Fix escape sequence
  • Loading branch information
tomchristie authored Jul 28, 2020
1 parent 81f2136 commit 789e2f1
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions uvicorn/protocols/http/httptools_impl.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import asyncio
import http
import logging
import re
import urllib

import httptools
Expand All @@ -13,6 +14,9 @@
is_ssl,
)

HEADER_RE = re.compile(b'[\x00-\x1F\x7F()<>@,;:[]={} \t\\"]')
HEADER_VALUE_RE = re.compile(b"[\x00-\x1F\x7F]")


def _get_status_line(status_code):
try:
Expand Down Expand Up @@ -459,6 +463,11 @@ async def send(self, message):
content = [STATUS_LINE[status_code]]

for name, value in headers:
if HEADER_RE.search(name):
raise RuntimeError("Invalid HTTP header name.")
if HEADER_VALUE_RE.search(value):
raise RuntimeError("Invalid HTTP header value.")

name = name.lower()
if name == b"content-length" and self.chunked_encoding is None:
self.expected_content_length = int(value.decode())
Expand Down

0 comments on commit 789e2f1

Please sign in to comment.