1.6.1dev: verify latin-1 characters only are used in status and heade…

…rs when `WSGIServer._start_response` is invoked (refs #13701) git-svn-id: http://trac.edgewall.org/intertrac/log:/branches/1.6-stable@17787 af82e41b-90c4-0310-8c96-b1721e28e2e2
edgewall · Apr 29, 2024 · a557413 · a557413
1 parent 2cdcd88
commit a557413
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/trac/web/wsgi.py b/trac/web/wsgi.py
@@ -16,6 +16,7 @@
 
 from abc import ABCMeta, abstractmethod
 import errno
+import re
 import sys
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from socketserver import ThreadingMixIn
@@ -140,6 +141,23 @@ def _start_response(self, status, headers, exc_info=None):
         else:
             assert not self.headers_set, 'Response already started'
 
+        def check_header(item, label):
+            if not isinstance(item, str):
+                raise TypeError('Expected str instance in %s' % label)
+            try:
+                item.encode('iso-8859-1')
+            except UnicodeEncodeError:
+                raise ValueError('Non latin-1 characters are used in %s' %
+                                 label) from None
+            if control_re.search(item):
+                raise ValueError('Control characters are used in %s' % label)
+
+        control_re = re.compile(r'[\x00-\x1f\x7f]')
+        check_header(status, 'status')
+        for name, value in headers:
+            check_header(name, 'headers')
+            check_header(value, 'headers')
+
         self.headers_set = [status, headers]
         return self._write