Respond 400 when first header starts with space

cherrypy · Jul 6, 2024 · 94d81bb · 94d81bb
1 parent 1ff20b1
commit 94d81bb
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/cheroot/server.py b/cheroot/server.py
@@ -197,6 +197,7 @@ def __call__(self, rfile, hdict=None):  # noqa: C901  # FIXME
         if hdict is None:
             hdict = {}
 
+        k = None
         while True:
             line = rfile.readline()
             if not line:
@@ -215,6 +216,8 @@ def __call__(self, rfile, hdict=None):  # noqa: C901  # FIXME
                 # NOTE: `BytesWarning('Comparison between bytes and int')`
                 # NOTE: The latter is equivalent and does not.
                 # It's a continuation line.
+                if k is None:
+                    raise ValueError('Illegal continuation line.')
                 v = line.strip()
             else:
                 try:

diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py
@@ -189,6 +189,21 @@ def test_parse_uri_invalid_uri(test_client):
     c.close()
 
 
+def test_parse_invalid_line_fold(test_client):
+    """Check that server responds with Bad Request to invalid GET queries.
+
+    Invalid field line test case: the first should not begin with whitespoace
+    """
+    c = test_client.get_connection()
+    c._output(u'GET / HTTP/1.1\r\n I-am-misfolded!\r\n\r\n'.encode('utf-8'))
+    c._send_output()
+    response = _get_http_response(c, method='GET')
+    response.begin()
+    assert response.status == HTTP_BAD_REQUEST
+    assert response.read(26) == b'Illegal continuation line.'
+    c.close()
+
+
 @pytest.mark.parametrize(
     'uri',
     (

diff --git a/docs/changelog-fragments.d/728.bugfix.rst b/docs/changelog-fragments.d/728.bugfix.rst
@@ -0,0 +1,4 @@
+The server has been updated to respond 400 to requests in
+which the first header field line begins with whitespace,
+instead of 500.
+-- by :user:`kenballus`