From 70f4f79dad71d8158c4dc4dd042bf89d2b10c972 Mon Sep 17 00:00:00 2001
From: Keith Mitchell <kemitche@reddit.com>
Date: Wed, 15 Aug 2012 14:11:56 -0700
Subject: [PATCH] Spaces are ok; CRs and LFs are not

Protect against HTTP response splitting* without
overzealously blocking standard space characters
from URLs

* see http://en.wikipedia.org/wiki/HTTP_response_splitting
---
 r2/r2/lib/base.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/r2/r2/lib/base.py b/r2/r2/lib/base.py
index 514044b0e..4cca80c8d 100644
--- a/r2/r2/lib/base.py
+++ b/r2/r2/lib/base.py
@@ -176,8 +176,8 @@ class BaseController(WSGIController):
 
         # unparse and encode it un utf8
         rv = _force_unicode(u.unparse()).encode('utf8')
-        if any(ch.isspace() for ch in rv):
-            raise ValueError("Space characters in redirect URL: [%r]" % rv)
+        if "\n" in rv or "\r" in rv:
+            abort(400)
         return rv