From 94d81bb77f685ebed7b2bbcf8f6b5f839da48b7a Mon Sep 17 00:00:00 2001 From: Ben Kallus Date: Sat, 6 Jul 2024 17:36:30 -0400 Subject: [PATCH] Respond 400 when first header starts with space --- cheroot/server.py | 3 +++ cheroot/test/test_core.py | 15 +++++++++++++++ docs/changelog-fragments.d/728.bugfix.rst | 4 ++++ 3 files changed, 22 insertions(+) create mode 100644 docs/changelog-fragments.d/728.bugfix.rst diff --git a/cheroot/server.py b/cheroot/server.py index 91564611c0..47bca319f8 100644 --- a/cheroot/server.py +++ b/cheroot/server.py @@ -197,6 +197,7 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME if hdict is None: hdict = {} + k = None while True: line = rfile.readline() if not line: @@ -215,6 +216,8 @@ def __call__(self, rfile, hdict=None): # noqa: C901 # FIXME # NOTE: `BytesWarning('Comparison between bytes and int')` # NOTE: The latter is equivalent and does not. # It's a continuation line. + if k is None: + raise ValueError('Illegal continuation line.') v = line.strip() else: try: diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py index d33647888e..35ccbd96ed 100644 --- a/cheroot/test/test_core.py +++ b/cheroot/test/test_core.py @@ -189,6 +189,21 @@ def test_parse_uri_invalid_uri(test_client): c.close() +def test_parse_invalid_line_fold(test_client): + """Check that server responds with Bad Request to invalid GET queries. + + Invalid field line test case: the first should not begin with whitespoace + """ + c = test_client.get_connection() + c._output(u'GET / HTTP/1.1\r\n I-am-misfolded!\r\n\r\n'.encode('utf-8')) + c._send_output() + response = _get_http_response(c, method='GET') + response.begin() + assert response.status == HTTP_BAD_REQUEST + assert response.read(26) == b'Illegal continuation line.' + c.close() + + @pytest.mark.parametrize( 'uri', ( diff --git a/docs/changelog-fragments.d/728.bugfix.rst b/docs/changelog-fragments.d/728.bugfix.rst new file mode 100644 index 0000000000..c90ab3ef0d --- /dev/null +++ b/docs/changelog-fragments.d/728.bugfix.rst @@ -0,0 +1,4 @@ +The server has been updated to respond 400 to requests in +which the first header field line begins with whitespace, +instead of 500. +-- by :user:`kenballus`