Disallow invalid header characters (#725)

tomchristie · web-flow · commit 789e2f135f36 · 2020-07-28T14:08:17.000+01:00
* Disallow invalid header characters

* Linting

* Fix escape sequence
diff --git a/uvicorn/protocols/http/httptools_impl.py b/uvicorn/protocols/http/httptools_impl.py
@@ -1,6 +1,7 @@
 import asyncio
 import http
 import logging
+import re
 import urllib
 
 import httptools
@@ -13,6 +14,9 @@
     is_ssl,
 )
 
+HEADER_RE = re.compile(b'[\x00-\x1F\x7F()<>@,;:[]={} \t\\"]')
+HEADER_VALUE_RE = re.compile(b"[\x00-\x1F\x7F]")
+
 
 def _get_status_line(status_code):
     try:
@@ -459,6 +463,11 @@ async def send(self, message):
             content = [STATUS_LINE[status_code]]
 
             for name, value in headers:
+                if HEADER_RE.search(name):
+                    raise RuntimeError("Invalid HTTP header name.")
+                if HEADER_VALUE_RE.search(value):
+                    raise RuntimeError("Invalid HTTP header value.")
+
                 name = name.lower()
                 if name == b"content-length" and self.chunked_encoding is None:
                     self.expected_content_length = int(value.decode())
