diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2019-12-12 17:52:05 -0800 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2019-12-19 15:59:58 +0100 |
commit | 804e3133a54088fc879c5e791bbe14bb8eb625f9 (patch) | |
tree | aa1e79f6b60104d842a964ec0d3d68f650bb733e | |
parent | fb08ecf008d314a6c5ba4814efbb41abb0284dbf (diff) | |
download | waitress-804e3133a54088fc879c5e791bbe14bb8eb625f9.tar.gz |
Disallow BWS in header field-names
Waitress used to treat:
Foo : bar
As a valid header, however
https://tools.ietf.org/html/rfc7230#section-3.2 states that this is not
valid.
-rw-r--r-- | waitress/parser.py | 4 | ||||
-rw-r--r-- | waitress/tests/test_parser.py | 12 |
2 files changed, 16 insertions, 0 deletions
diff --git a/waitress/parser.py b/waitress/parser.py index 945e680..e2970cb 100644 --- a/waitress/parser.py +++ b/waitress/parser.py @@ -197,6 +197,10 @@ class HTTPRequestParser(object): index = line.find(b":") if index > 0: key = line[:index] + + if key != key.strip(): + raise ParsingError("Invalid whitespace after field-name") + if b"_" in key: continue value = line[index + 1 :].strip() diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py index 04de127..463e0b2 100644 --- a/waitress/tests/test_parser.py +++ b/waitress/tests/test_parser.py @@ -242,6 +242,18 @@ class TestHTTPRequestParser(unittest.TestCase): else: # pragma: nocover self.assertTrue(False) + def test_parse_header_invalid_whitespace(self): + from waitress.parser import ParsingError + + data = b"GET /foobar HTTP/8.4\r\nfoo : bar\r\n" + try: + self.parser.parse_header(data) + except ParsingError as e: + self.assertIn("Invalid whitespace after field-name", e.args[0]) + else: # pragma: nocover + self.assertTrue(False) + + class Test_split_uri(unittest.TestCase): def _callFUT(self, uri): from waitress.parser import split_uri |