Log message for revision 127996: LP #930812: Scrub headers a bit more.
Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/src/ZPublisher/HTTPResponse.py U Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py -=- Modified: Zope/branches/2.12/doc/CHANGES.rst =================================================================== --- Zope/branches/2.12/doc/CHANGES.rst 2012-10-14 12:02:49 UTC (rev 127995) +++ Zope/branches/2.12/doc/CHANGES.rst 2012-10-14 12:38:50 UTC (rev 127996) @@ -8,6 +8,7 @@ 2.12.26 (unreleased) -------------------- +- LP #930812: Scrub headers a bit more. 2.12.25 (2012-09-18) -------------------- @@ -15,7 +16,6 @@ - Explicitly declared ZTUtils APIs as public (repairs breakages in apps following fix for LP #1047318). - 2.12.24 (2012-09-09) -------------------- Modified: Zope/branches/2.12/src/ZPublisher/HTTPResponse.py =================================================================== --- Zope/branches/2.12/src/ZPublisher/HTTPResponse.py 2012-10-14 12:02:49 UTC (rev 127995) +++ Zope/branches/2.12/src/ZPublisher/HTTPResponse.py 2012-10-14 12:38:50 UTC (rev 127996) @@ -125,7 +125,7 @@ if otherTypes: uncompressableMimeMajorTypes += tuple(otherTypes.split(',')) -_CRLF = re.compile(r'\r[\n]?') +_CRLF = re.compile(r'[\r\n]') def _scrubHeader(name, value): return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value))) Modified: Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py =================================================================== --- Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py 2012-10-14 12:02:49 UTC (rev 127995) +++ Zope/branches/2.12/src/ZPublisher/tests/testHTTPResponse.py 2012-10-14 12:38:50 UTC (rev 127996) @@ -303,6 +303,15 @@ 'Set-Cookie: ' 'violation="http://www.ietf.org/rfc/rfc2616.txt"\r\n') + def test_setHeader_drops_LF(self): + # Some browsers accept \n in place of \n\r to separate headers, + # so we scrub it too. + response = self._makeOne() + response.setHeader('Location', + 'http://www.ietf.org/rfc/\nrfc2616.txt') + self.assertEqual(response.headers['location'], + 'http://www.ietf.org/rfc/rfc2616.txt') + def test_setBody_compression_vary(self): # Vary header should be added here response = self._makeOne() _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins