From 0828095f7345d873583132bdb92512b07766ccd1 Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Sun, 28 Aug 2011 11:26:21 -0700
Subject: [PATCH] Don't include X-SUP-ID if it contains \r\n.

Prevents an HTTP response splitting attack.

Thanks to @nealpoole (npoole) for the report!
---
 r2/r2/controllers/error.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/r2/r2/controllers/error.py b/r2/r2/controllers/error.py
index 4fc40a9e2..1d61219de 100644
--- a/r2/r2/controllers/error.py
+++ b/r2/r2/controllers/error.py
@@ -179,7 +179,9 @@ class ErrorController(RedditController):
                 return self.send503()
             elif code == 304:
                 if request.GET.has_key('x-sup-id'):
-                    c.response.headers['x-sup-id'] = request.GET.get('x-sup-id')
+                    x_sup_id = request.GET.get('x-sup-id')
+                    if '\r\n' not in x_sup_id:
+                        c.response.headers['x-sup-id'] = x_sup_id
                 return c.response
             elif c.site:
                 return self.send404()