[Zope-Checkins] SVN: Zope/branches/2.12/ LP #930812: Scrub headers a bit more.

Hano Schlichting cvs-admin at zope.org
Sun Oct 14 12:38:54 UTC 2012 

Log message for revision 127996:
  LP #930812: Scrub headers a bit more.
  

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/src/ZPublisher/HTTPResponse.py
  U   Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2012-10-14 12:02:49 UTC (rev 127995)
+++ Zope/branches/2.12/doc/CHANGES.rst	2012-10-14 12:38:50 UTC (rev 127996)
@@ -8,6 +8,7 @@
 2.12.26 (unreleased)
 --------------------
 
+- LP #930812: Scrub headers a bit more.
 
 2.12.25 (2012-09-18)
 --------------------
@@ -15,7 +16,6 @@
 - Explicitly declared ZTUtils APIs as public (repairs breakages in apps
   following fix for LP #1047318).
 
-
 2.12.24 (2012-09-09)
 --------------------
 

Modified: Zope/branches/2.12/src/ZPublisher/HTTPResponse.py
===================================================================
--- Zope/branches/2.12/src/ZPublisher/HTTPResponse.py	2012-10-14 12:02:49 UTC (rev 127995)
+++ Zope/branches/2.12/src/ZPublisher/HTTPResponse.py	2012-10-14 12:38:50 UTC (rev 127996)
@@ -125,7 +125,7 @@
 if otherTypes:
     uncompressableMimeMajorTypes += tuple(otherTypes.split(','))
 
-_CRLF = re.compile(r'\r[\n]?')
+_CRLF = re.compile(r'[\r\n]')
 
 def _scrubHeader(name, value):
     return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))

Modified: Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py
===================================================================
--- Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py	2012-10-14 12:02:49 UTC (rev 127995)
+++ Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py	2012-10-14 12:38:50 UTC (rev 127996)
@@ -303,6 +303,15 @@
                 'Set-Cookie: '
                 'violation="http://www.ietf.org/rfc/rfc2616.txt"\r\n')
 
+    def test_setHeader_drops_LF(self):
+        # Some browsers accept \n in place of \n\r to separate headers,
+        # so we scrub it too.
+        response = self._makeOne()
+        response.setHeader('Location',
+                           'http://www.ietf.org/rfc/\nrfc2616.txt')
+        self.assertEqual(response.headers['location'],
+                         'http://www.ietf.org/rfc/rfc2616.txt')
+
     def test_setBody_compression_vary(self):
         # Vary header should be added here
         response = self._makeOne()

More information about the Zope-Checkins mailing list