Merge pull request #124 from NextThought/fix.122

Check header names and status for line feed/carriage return.

Fixes #122

4 files changed, 28 insertions, 4 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 922a9fc..d999326 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -9,10 +9,11 @@
   See: https://github.com/Pylons/waitress/pull/82 and
   https://github.com/Pylons/waitress/issues/76
 
-- Waitress will no longer accept headers with newline/carriage returns in them,
-  thereby disallowing HTTP Response Splitting. See
-  https://github.com/Pylons/waitress/issues/117 for more information, as well
-  as https://www.owasp.org/index.php/HTTP_Response_Splitting.
+- Waitress will no longer accept headers or status lines with
+  newline/carriage returns in them, thereby disallowing HTTP Response
+  Splitting. See https://github.com/Pylons/waitress/issues/117 for
+  more information, as well as
+  https://www.owasp.org/index.php/HTTP_Response_Splitting.
 
 - Call prune() on the output buffer at the end of a request so that it doesn't
   continue to grow without bounds. See
diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index cb009b0..dfefb8f 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -132,3 +132,5 @@ Contributors
 - Bert JW Regeer, 2015-09-23
 
 - Yu Zhou, 2015-09-24
+
+- Jason Madden, 2016-03-19
diff --git a/waitress/task.py b/waitress/task.py
index 501547a..4ce410c 100644
--- a/waitress/task.py
+++ b/waitress/task.py
@@ -358,6 +358,9 @@ class WSGITask(Task):
 
             if not status.__class__ is str:
                 raise AssertionError('status %s is not a string' % status)
+            if '\n' in status or '\r' in status:
+                raise ValueError("carriage return/line "
+                                 "feed character present in status")
 
             self.status = status
 
@@ -375,6 +378,10 @@ class WSGITask(Task):
                 if '\n' in v or '\r' in v:
                     raise ValueError("carriage return/line "
                                      "feed character present in header value")
+                if '\n' in k or '\r' in k:
+                    raise ValueError("carriage return/line "
+                                     "feed character present in header name")
+
                 kl = k.lower()
                 if kl == 'content-length':
                     self.content_length = int(v)
diff --git a/waitress/tests/test_task.py b/waitress/tests/test_task.py
index c836f69..2a2759a 100644
--- a/waitress/tests/test_task.py
+++ b/waitress/tests/test_task.py
@@ -416,6 +416,20 @@ class TestWSGITask(unittest.TestCase):
         inst.channel.server.application = app
         self.assertRaises(ValueError, inst.execute)
 
+    def test_execute_bad_header_name_control_characters(self):
+        def app(environ, start_response):
+            start_response('200 OK', [('a\r', 'value')])
+        inst = self._makeOne()
+        inst.channel.server.application = app
+        self.assertRaises(ValueError, inst.execute)
+
+    def test_execute_bad_status_control_characters(self):
+        def app(environ, start_response):
+            start_response('200 OK\r', [])
+        inst = self._makeOne()
+        inst.channel.server.application = app
+        self.assertRaises(ValueError, inst.execute)
+
     def test_preserve_header_value_order(self):
         def app(environ, start_response):
             write = start_response('200 OK', [('C', 'b'), ('A', 'b'), ('A', 'a')])