Skip to content

Commit

Permalink
Respond 400 instead of 500 when first header field line starts with S…
Browse files Browse the repository at this point in the history
…P or HTAB.
  • Loading branch information
kenballus committed Jul 6, 2024
1 parent 1ff20b1 commit bd642f1
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions cheroot/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME
if hdict is None:
hdict = {}

k = None
while True:
line = rfile.readline()
if not line:
Expand All @@ -215,6 +216,8 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME
# NOTE: `BytesWarning('Comparison between bytes and int')`
# NOTE: The latter is equivalent and does not.
# It's a continuation line.
if k is None:
raise ValueError('Illegal continuation line.')
v = line.strip()
else:
try:
Expand Down
11 changes: 11 additions & 0 deletions cheroot/test/test_core.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,17 @@ def test_parse_uri_invalid_uri(test_client):
c.close()


def test_parse_invalid_line_fold(test_client):
c = test_client.get_connection()
c._output(u'GET / HTTP/1.1\r\n I-am-misfolded!\r\n\r\n'.encode('utf-8'))
c._send_output()
response = _get_http_response(c, method='GET')
response.begin()
assert response.status == HTTP_BAD_REQUEST
assert response.read(26) == b'Illegal continuation line.'
c.close()


@pytest.mark.parametrize(
'uri',
(
Expand Down
4 changes: 4 additions & 0 deletions docs/changelog-fragments.d/728.bugfix.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
The server has been updated to respond 400 to requests in
which the first header field line begins with whitespace,
instead of 500.
-- by :user:`kenballus`

0 comments on commit bd642f1

Please sign in to comment.