Skip to content

Commit d952a16

Browse files
Update handlers.py
1 parent 8ffdc16 commit d952a16

File tree

1 file changed

+14
-6
lines changed

1 file changed

+14
-6
lines changed

Lib/wsgiref/handlers.py

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -236,14 +236,25 @@ def start_response(self, status, headers,exc_info=None):
236236
raise AssertionError("Headers already set!")
237237

238238
self.status = status
239+
240+
# Do not change the next line unless you know you are
241+
# doing because it indirectly prevents injections via C0 control
242+
# characters in the following lines via raising a ValueError
243+
# inside headers_class.
239244
self.headers = self.headers_class(headers)
240-
status = self._convert_string_type(status, "Status", name=True)
245+
246+
status = self._convert_string_type(status, "Status")
247+
248+
regex = (_name_disallowed_re if name else _value_disallowed_re)
249+
if regex.search(value):
250+
raise ValueError("Control characters are not allowed in headers and status")
251+
241252
self._validate_status(status)
242253

243254
if __debug__:
244255
for name, val in headers:
245-
name = self._convert_string_type(name, "Header name", name=True)
246-
val = self._convert_string_type(val, "Header value", name=False)
256+
name = self._convert_string_type(name, "Header name")
257+
val = self._convert_string_type(val, "Header value")
247258
assert not is_hop_by_hop(name),\
248259
f"Hop-by-hop header, '{name}: {val}', not allowed"
249260

@@ -260,9 +271,6 @@ def _validate_status(self, status):
260271
def _convert_string_type(self, value, title, *, name):
261272
"""Convert/check value type."""
262273
if type(value) is str:
263-
regex = (_name_disallowed_re if name else _value_disallowed_re)
264-
if regex.search(value):
265-
raise ValueError("Control characters not allowed in headers and status")
266274
return value
267275
raise AssertionError(
268276
"{0} must be of type str (got {1})".format(title, repr(value))

0 commit comments

Comments
 (0)