diff options
author | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2018-05-15 16:52:58 -0400 |
---|---|---|
committer | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2018-05-17 15:53:34 -0400 |
commit | ee029a9b927a41c028427f8afc1821ed914e6d47 (patch) | |
tree | e29b9455d91ef6cf64135f51dd8e5b3395b1e744 /glanceclient | |
parent | b9c6db6558248cddad47715fd0f12df7ceceb37d (diff) | |
download | python-glanceclient-ee029a9b927a41c028427f8afc1821ed914e6d47.tar.gz |
Handle HTTP headers per RFC 8187
According to RFC 8187, HTTP headers should use 7-bit ASCII encoding.
The glanceclient was encoding them as UTF-8, which can leave the 8th
bit nonzero when representing unicode, and which presents problems
for any recipient following the standard and decoding the headers as
ASCII.
This change requires keystoneauth1 3.6.2, which has a fix for a
bug that made it unable to handle bytes in headers. The dependency
is a patch bumping the keystoneauth1 version in upper-constraints.
Depends-on: https://review.openstack.org/#/c/569138/
Change-Id: I0d14974126fcb20e23a37347f4f1756c323cf2f5
Closes-bug: #1766235
Diffstat (limited to 'glanceclient')
-rw-r--r-- | glanceclient/common/http.py | 23 | ||||
-rw-r--r-- | glanceclient/tests/unit/test_http.py | 14 |
2 files changed, 32 insertions, 5 deletions
diff --git a/glanceclient/common/http.py b/glanceclient/common/http.py index fc635ff..84cdc69 100644 --- a/glanceclient/common/http.py +++ b/glanceclient/common/http.py @@ -24,6 +24,7 @@ from oslo_utils import importutils from oslo_utils import netutils import requests import six +import six.moves.urllib.parse as urlparse try: import json @@ -53,8 +54,26 @@ def encode_headers(headers): :returns: Dictionary with encoded headers' names and values """ - return dict((encodeutils.safe_encode(h), encodeutils.safe_encode(v)) - for h, v in headers.items() if v is not None) + # NOTE(rosmaita): This function's rejection of any header name without a + # corresponding value is arguably justified by RFC 7230. In any case, that + # behavior was already here and there is an existing unit test for it. + + # Bug #1766235: According to RFC 8187, headers must be encoded as ASCII. + # So we first %-encode them to get them into range < 128 and then turn + # them into ASCII. + if six.PY2: + # incoming items may be unicode, so get them into something + # the py2 version of urllib can handle before percent encoding + encoded_dict = dict((urlparse.quote(encodeutils.safe_encode(h)), + urlparse.quote(encodeutils.safe_encode(v))) + for h, v in headers.items() if v is not None) + else: + encoded_dict = dict((urlparse.quote(h), urlparse.quote(v)) + for h, v in headers.items() if v is not None) + + return dict((encodeutils.safe_encode(h, encoding='ascii'), + encodeutils.safe_encode(v, encoding='ascii')) + for h, v in encoded_dict.items()) class _BaseHTTPClient(object): diff --git a/glanceclient/tests/unit/test_http.py b/glanceclient/tests/unit/test_http.py index cec94e0..efd15bf 100644 --- a/glanceclient/tests/unit/test_http.py +++ b/glanceclient/tests/unit/test_http.py @@ -216,10 +216,15 @@ class TestClient(testtools.TestCase): def test_headers_encoding(self): value = u'ni\xf1o' - headers = {"test": value, "none-val": None} + headers = {"test": value, "none-val": None, "Name": "value"} encoded = http.encode_headers(headers) - self.assertEqual(b"ni\xc3\xb1o", encoded[b"test"]) + # Bug #1766235: According to RFC 8187, headers must be + # encoded as 7-bit ASCII, so expect to see only displayable + # chars in percent-encoding + self.assertEqual(b"ni%C3%B1o", encoded[b"test"]) self.assertNotIn("none-val", encoded) + self.assertNotIn(b"none-val", encoded) + self.assertEqual(b"value", encoded[b"Name"]) @mock.patch('keystoneauth1.adapter.Adapter.request') def test_http_duplicate_content_type_headers(self, mock_ksarq): @@ -466,4 +471,7 @@ class TestClient(testtools.TestCase): http_client.auth_token = unicode_token http_client.get(path) headers = self.mock.last_request.headers - self.assertEqual(b'ni\xc3\xb1o', headers['X-Auth-Token']) + # Bug #1766235: According to RFC 8187, headers must be + # encoded as 7-bit ASCII, so expect to see only displayable + # chars in percent-encoding + self.assertEqual(b'ni%C3%B1o', headers['X-Auth-Token']) |