Commit 0cf7889 1 parent df37e46 commit 0cf7889 Copy full SHA for 0cf7889
File tree 3 files changed +8
-12
lines changed
3 files changed +8
-12
lines changed Original file line number Diff line number Diff line change @@ -139,7 +139,10 @@ def request_call(datum)
139139 # add headers to request
140140 datum [ :headers ] . each do |key , values |
141141 [ values ] . flatten . each do |value |
142- request << key . to_s << ': ' << value . to_s . gsub ( /\r \n / , ' ' ) << CR_NL
142+ if value . to_s . match ( /[\r \n ]/ )
143+ raise Excon ::Errors ::InvalidHeaderValue . new ( '\r and \n are forbidden' )
144+ end
145+ request << key . to_s << ': ' << value . to_s << CR_NL
143146 end
144147 end
145148
@@ -185,7 +188,7 @@ def request_call(datum)
185188 end
186189 rescue => error
187190 case error
188- when Excon ::Errors ::StubNotFound , Excon ::Errors ::Timeout
191+ when Excon ::Errors ::InvalidHeaderValue , Excon :: Errors :: StubNotFound , Excon ::Errors ::Timeout
189192 raise ( error )
190193 else
191194 raise_socket_error ( error )
Original file line number Diff line number Diff line change @@ -45,6 +45,7 @@ def initialize(socket_error = Excon::Error.new)
4545 end
4646 end
4747
48+ class InvalidHeaderValue < Error ; end
4849 class Timeout < Error ; end
4950 class ResponseParse < Error ; end
5051 class ProxyParse < Error ; end
Original file line number Diff line number Diff line change 22
33 with_server ( 'bad' ) do
44
5- tests ( 'prevents header splitting' ) . returns ( true ) do
5+ tests ( 'prevents header splitting' ) . raises ( Excon :: Errors :: InvalidHeaderValue ) do
66 connection = Excon . new ( 'http://127.0.0.1:9292' )
7- request = <<-BODY
8- GET /echo HTTP/1.1\r
9- User-Agent: excon/0.62.0\r
10- Foo: bar Baz: qux\r
11- Host: 127.0.0.1:9292\r
12- \r
13- BODY
14- response = connection . request (
7+ connection . request (
158 headers : { Foo : "bar\r \n Baz: qux" } ,
169 method : :get ,
1710 path : '/echo'
1811 )
19- response . body == request
2012 end
2113
2214 tests ( 'bad server: causes EOFError' ) do
You can’t perform that action at this time.
0 commit comments