Skip to content

Commit

Permalink
Respond 400 when first header starts with space
Browse files Browse the repository at this point in the history
  • Loading branch information
kenballus committed Jul 6, 2024
1 parent 1ff20b1 commit 94d81bb
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 0 deletions.
3 changes: 3 additions & 0 deletions cheroot/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME
if hdict is None:
hdict = {}

k = None
while True:
line = rfile.readline()
if not line:
Expand All @@ -215,6 +216,8 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME
# NOTE: `BytesWarning('Comparison between bytes and int')`
# NOTE: The latter is equivalent and does not.
# It's a continuation line.
if k is None:
raise ValueError('Illegal continuation line.')
v = line.strip()
else:
try:
Expand Down
15 changes: 15 additions & 0 deletions cheroot/test/test_core.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,21 @@ def test_parse_uri_invalid_uri(test_client):
c.close()


def test_parse_invalid_line_fold(test_client):
"""Check that server responds with Bad Request to invalid GET queries.
Invalid field line test case: the first should not begin with whitespoace
"""
c = test_client.get_connection()
c._output(u'GET / HTTP/1.1\r\n I-am-misfolded!\r\n\r\n'.encode('utf-8'))
c._send_output()
response = _get_http_response(c, method='GET')
response.begin()
assert response.status == HTTP_BAD_REQUEST
assert response.read(26) == b'Illegal continuation line.'
c.close()


@pytest.mark.parametrize(
'uri',
(
Expand Down
4 changes: 4 additions & 0 deletions docs/changelog-fragments.d/728.bugfix.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
The server has been updated to respond 400 to requests in
which the first header field line begins with whitespace,
instead of 500.
-- by :user:`kenballus`

0 comments on commit 94d81bb

Please sign in to comment.