Add a middleware to sanitize response splitting attempts.

Thanks to Jordan Milne (/u/largenocream) for reporting this and joyent/node@3c293ba272 for inspiration for this solution.
2026-01-26 07:19:25 -05:00 · 2013-11-07 00:06:39 -08:00
parent 909ce5fefb
commit 2f5d8cd4fa
1 changed files with 22 additions and 0 deletions
--- a/r2/r2/config/middleware.py
+++ b/r2/r2/config/middleware.py
@@ -355,6 +355,26 @@ class CleanupMiddleware(object):
        return self.app(environ, custom_start_response)


+class SafetyMiddleware(object):
+    """Clean up any attempts at response splitting in headers."""
+
+    has_bad_characters = re.compile("[\r\n]")
+    sanitizer = re.compile("[\r\n]+[ \t]*")
+
+    def __init__(self, app):
+        self.app = app
+
+    def __call__(self, environ, start_response):
+        def safe_start_response(status, headers, exc_info=None):
+            sanitized = []
+            for name, value in headers:
+                if self.has_bad_characters.search(value):
+                    value = self.sanitizer.sub("", value)
+                sanitized.append((name, value))
+            return start_response(status, sanitized, exc_info)
+        return self.app(environ, safe_start_response)
+
+
 class RedditApp(PylonsApp):
    def __init__(self, *args, **kwargs):
        super(RedditApp, self).__init__(*args, **kwargs)
@@ -456,4 +476,6 @@ def make_app(global_conf, full_stack=True, **app_conf):
        static_fallback = StaticTestMiddleware(static_app, g.config['static_path'], g.config['static_domain'])
        app = Cascade([static_fallback, app])

+    app = SafetyMiddleware(app)
+
    return app