Don't include X-SUP-ID if it contains \r\n.

Prevents an HTTP response splitting attack. Thanks to @nealpoole (npoole) for the report!
2026-01-27 07:48:16 -05:00 · 2011-08-28 11:26:21 -07:00
parent 06dea8a4db
commit 0828095f73
1 changed files with 3 additions and 1 deletions
--- a/r2/r2/controllers/error.py
+++ b/r2/r2/controllers/error.py
@@ -179,7 +179,9 @@ class ErrorController(RedditController):
                return self.send503()
            elif code == 304:
                if request.GET.has_key('x-sup-id'):
-                    c.response.headers['x-sup-id'] = request.GET.get('x-sup-id')
+                    x_sup_id = request.GET.get('x-sup-id')
+                    if '\r\n' not in x_sup_id:
+                        c.response.headers['x-sup-id'] = x_sup_id
                return c.response
            elif c.site:
                return self.send404()