Merge branch 'branch2.2'

Conflicts: setup.py tornado/__init__.py tornado/test/web_test.py tox.ini website/sphinx/releases.rst
2012-04-23 22:34:42 -07:00 · 2012-04-23 22:34:42 -07:00 · 3df46ee312
parent 5ae39bc6d1 235cb17a0a
commit 3df46ee312
5 changed files with 38 additions and 2 deletions
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@ -381,6 +381,16 @@ class EmptyFlushCallbackHandler(RequestHandler):
        self.finish("k")


+class HeaderInjectionHandler(RequestHandler):
+    def get(self):
+        try:
+            self.set_header("X-Foo", "foo\r\nX-Bar: baz")
+            raise Exception("Didn't get expected exception")
+        except ValueError, e:
+            assert "Unsafe header value" in str(e)
+            self.finish(b("ok"))
+
+
 class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
    def get_app(self):
        loader = DictLoader({
@ -406,6 +416,7 @@ class WebTest(AsyncHTTPTestCase, LogTrapTestCase):
            url("/multi_header", MultiHeaderHandler),
            url("/redirect", RedirectHandler),
            url("/empty_flush", EmptyFlushCallbackHandler),
+            url("/header_injection", HeaderInjectionHandler),
            ]
        return Application(urls,
                           template_loader=loader,
@ -503,6 +514,10 @@ js_embed()
        response = self.fetch("/empty_flush")
        self.assertEqual(response.body, b("ok"))

+    def test_header_injection(self):
+        response = self.fetch("/header_injection")
+        self.assertEqual(response.body, b("ok"))
+

 class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase):
    def get_app(self):
--- a/tornado/web.py
+++ b/tornado/web.py
@ -276,7 +276,7 @@ class RequestHandler(object):
        # If \n is allowed into the header, it is possible to inject
        # additional headers or split the request. Also cap length to
        # prevent obviously erroneous values.
-        if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
+        if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
            raise ValueError("Unsafe header value %r", value)
        return value

--- a/tox.ini
+++ b/tox.ini
@ -84,4 +84,4 @@ setenv = LANG=en_US.utf-8

 [testenv:py33]
 # tox doesn't yet know "py33" by default
-basepython = python3.3
+basepython = python3.3
--- a/website/sphinx/releases.rst
+++ b/website/sphinx/releases.rst
@ -5,6 +5,7 @@ Release notes
   :maxdepth: 2

   releases/next
+   releases/v2.2.1
   releases/v2.2.0
   releases/v2.1.1
   releases/v2.1.0
--- a/website/sphinx/releases/v2.2.1.rst
+++ b/website/sphinx/releases/v2.2.1.rst
@ -0,0 +1,20 @@
+What's new in Tornado 2.2.1
+===========================
+
+Apr 23, 2012
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+* `tornado.web.RequestHandler.set_header` now properly sanitizes input
+  values to protect against header injection, response splitting, etc.
+  (it has always attempted to do this, but the check was incorrect).
+  Note that redirects, the most likely source of such bugs, are protected
+  by a separate check in `RequestHandler.redirect`.
+
+Bug fixes
+~~~~~~~~~
+
+* Colored logging configuration in `tornado.options` is compatible with
+  Python 3.2.3 (and 3.3).