Spaces are ok; CRs and LFs are not

Protect against HTTP response splitting* without overzealously blocking standard space characters from URLs * see http://en.wikipedia.org/wiki/HTTP_response_splitting
2026-01-27 07:48:16 -05:00 · 2012-08-15 14:11:56 -07:00
parent a31b1e69f9
commit 70f4f79dad
1 changed files with 2 additions and 2 deletions
--- a/r2/r2/lib/base.py
+++ b/r2/r2/lib/base.py
@@ -176,8 +176,8 @@ class BaseController(WSGIController):

        # unparse and encode it un utf8
        rv = _force_unicode(u.unparse()).encode('utf8')
-        if any(ch.isspace() for ch in rv):
-            raise ValueError("Space characters in redirect URL: [%r]" % rv)
+        if "\n" in rv or "\r" in rv:
+            abort(400)
        return rv