From 1ae91f6d58e6257e0ab49d295d8741ce1727bdb7 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Mon, 23 Apr 2012 21:55:05 -0700
Subject: [PATCH] Fix reponse header sanitization.

---
 tornado/test/web_test.py | 15 +++++++++++++++
 tornado/web.py           |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index 9f4c860e..5312304f 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -335,6 +335,16 @@ class RedirectHandler(RequestHandler):
             raise Exception("didn't get permanent or status arguments")
 
 
+class HeaderInjectionHandler(RequestHandler):
+    def get(self):
+        try:
+            self.set_header("X-Foo", "foo\r\nX-Bar: baz")
+            raise Exception("Didn't get expected exception")
+        except ValueError, e:
+            assert "Unsafe header value" in str(e)
+            self.finish(b("ok"))
+
+
 class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
     def get_app(self):
         loader = DictLoader({
@@ -359,6 +369,7 @@ class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
             url("/flow_control", FlowControlHandler),
             url("/multi_header", MultiHeaderHandler),
             url("/redirect", RedirectHandler),
+            url("/header_injection", HeaderInjectionHandler),
             ]
         return Application(urls,
                            template_loader=loader,
@@ -452,6 +463,10 @@ js_embed()
         response = self.fetch("/redirect?status=307", follow_redirects=False)
         self.assertEqual(response.code, 307)
 
+    def test_header_injection(self):
+        response = self.fetch("/header_injection")
+        self.assertEqual(response.body, b("ok"))
+
 
 class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase):
     def get_app(self):
diff --git a/tornado/web.py b/tornado/web.py
index c31eb674..76392b75 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -275,7 +275,7 @@ class RequestHandler(object):
         # If \n is allowed into the header, it is possible to inject
         # additional headers or split the request. Also cap length to
         # prevent obviously erroneous values.
-        if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
+        if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
             raise ValueError("Unsafe header value %r", value)
         return value