File CVE-2018-1000164.patch of Package python3-gunicorn

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-1000164.patch of Package python3-gunicorn

Index: gunicorn-19.3.0/gunicorn/http/wsgi.py
===================================================================
--- gunicorn-19.3.0.orig/gunicorn/http/wsgi.py	2015-03-06 10:08:34.000000000 +0100
+++ gunicorn-19.3.0/gunicorn/http/wsgi.py	2018-04-09 13:47:42.525111144 +0200
@@ -10,6 +10,7 @@ import re
 import sys
 
 from gunicorn._compat import unquote_to_wsgi_str
+from gunicorn.http.errors import InvalidHeader 
 from gunicorn.six import string_types, binary_type, reraise
 from gunicorn import SERVER_SOFTWARE
 import gunicorn.six as six
@@ -25,6 +26,7 @@ except ImportError:
         sendfile = None
 
 NORMALIZE_SPACE = re.compile(r'(?:\r\n)?[ \t]+')
+HEADER_VALUE_RE = re.compile(r'[\x00-\x1F\x7F]')
 
 log = logging.getLogger(__name__)
 
@@ -259,6 +261,8 @@ class Response(object):
         for name, value in headers:
             if not isinstance(name, string_types):
                 raise TypeError('%r is not a string' % name)
+            if HEADER_VALUE_RE.search(value):
+                raise InvalidHeader('%r' % value)
             value = str(value).strip()
             lname = name.lower().strip()
             if lname == "content-length":

Places

File CVE-2018-1000164.patch of Package python3-gunicorn

Places