Disallow newlines in reason (#9167)

aio-libs · Sep 19, 2024 · 88f3834 · 88f3834
1 parent 139f3a6
commit 88f3834
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 4 deletions.
diff --git a/CHANGES/9167.bugfix.rst b/CHANGES/9167.bugfix.rst
@@ -0,0 +1 @@
+Rejected `\n` in `reason` values to avoid sending broken HTTP messages -- by :user:`Dreamsorcerer`.
diff --git a/aiohttp/web_exceptions.py b/aiohttp/web_exceptions.py
@@ -99,6 +99,8 @@ def __init__(
         super().__init__()
         if reason is None:
             reason = self.default_reason
+        elif "\n" in reason:
+            raise ValueError("Reason cannot contain \\n")
 
         if text is None:
             if not self.empty_body:

diff --git a/aiohttp/web_response.py b/aiohttp/web_response.py
@@ -165,6 +165,8 @@ def set_status(
                 reason = HTTPStatus(self._status).phrase
             except ValueError:
                 reason = ""
+        if "\n" in reason:
+            raise ValueError("Reason cannot contain \\n")
         self._reason = reason
 
     @property

diff --git a/tests/test_web_exceptions.py b/tests/test_web_exceptions.py
@@ -183,6 +183,10 @@ def test_ctor_all(self) -> None:
         assert resp.reason == "Done"
         assert resp.status == 200
 
+    def test_multiline_reason(self) -> None:
+        with pytest.raises(ValueError, match=r"Reason cannot contain \\n"):
+            web.HTTPOk(reason="Bad\r\nInjected-header: foo")
+
     def test_pickle(self) -> None:
         resp = web.HTTPOk(
             headers={"X-Custom": "value"},

diff --git a/tests/test_web_response.py b/tests/test_web_response.py
@@ -811,14 +811,14 @@ async def test_start_force_close() -> None:
 
 async def test___repr__() -> None:
     req = make_request("GET", "/path/to")
-    resp = StreamResponse(reason=301)
+    resp = StreamResponse(reason="foo")
     await resp.prepare(req)
-    assert "<StreamResponse 301 GET /path/to >" == repr(resp)
+    assert "<StreamResponse foo GET /path/to >" == repr(resp)
 
 
 def test___repr___not_prepared() -> None:
-    resp = StreamResponse(reason=301)
-    assert "<StreamResponse 301 not prepared>" == repr(resp)
+    resp = StreamResponse(reason="foo")
+    assert "<StreamResponse foo not prepared>" == repr(resp)
 
 
 async def test_keep_alive_http10_default() -> None:
@@ -1092,6 +1092,11 @@ async def test_render_with_body(buf: Any, writer: Any) -> None:
     )
 
 
+async def test_multiline_reason(buf: Any, writer: Any) -> None:
+    with pytest.raises(ValueError, match=r"Reason cannot contain \\n"):
+        Response(reason="Bad\r\nInjected-header: foo")
+
+
 async def test_send_set_cookie_header(buf: Any, writer: Any) -> None:
     resp = Response()
     resp.cookies["name"] = "value"