Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Jacob Kaplan-Moss <jacob@jacobian.org> 2009-05-08 11:15:23 +0000
committer: Jacob Kaplan-Moss <jacob@jacobian.org> 2009-05-08 11:15:23 +0000
commit: 155ab07a5d40f5e0a426423cb8df3868a37a02f8 (patch)
tree: b75328ea129d70b5b15a125a8fa4649622c4703b /django/http
parent: a7faf6424a8193cbf8a3a8d017461188fe9ea9c9 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py
index 7c6b8f9a0f..92c38c0ad6 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -263,6 +263,9 @@ def parse_cookie(cookie):
         cookiedict[key] = c.get(key).value
     return cookiedict
 
+class BadHeaderError(ValueError):
+    pass
+
 class HttpResponse(object):
     """A basic HTTP response, with content and dictionary-accessed headers."""
 
@@ -301,6 +304,8 @@ class HttpResponse(object):
     def _convert_to_ascii(self, *values):
         """Converts all values to ascii strings."""
         for value in values:
+            if '\n' in value or '\r' in value:
+                raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
             if isinstance(value, unicode):
                 try:
                     yield value.encode('us-ascii')
author	Jacob Kaplan-Moss <jacob@jacobian.org>	2009-05-08 11:15:23 +0000
committer	Jacob Kaplan-Moss <jacob@jacobian.org>	2009-05-08 11:15:23 +0000
commit	155ab07a5d40f5e0a426423cb8df3868a37a02f8 (patch)
tree	b75328ea129d70b5b15a125a8fa4649622c4703b /django/http
parent	a7faf6424a8193cbf8a3a8d017461188fe9ea9c9 (diff)