Sanitize URL in Location header in redirects

PR #3613 by @m-burst
aio-libs · Feb 17, 2019 · cc4fffd · cc4fffd
1 parent 59ccf3a
commit cc4fffd
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 1 deletion.
diff --git a/CHANGES/3613.bugfix b/CHANGES/3613.bugfix
@@ -0,0 +1 @@
+Use sanitized URL as Location header in redirects
diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
@@ -152,6 +152,7 @@ Mathias Fröjdman
 Matthieu Hauglustaine
 Matthieu Rigal
 Michael Ihnatenko
+Mikhail Burshteyn
 Mikhail Kashkin
 Mikhail Lukyanchenko
 Mikhail Nacharov

diff --git a/aiohttp/web_exceptions.py b/aiohttp/web_exceptions.py
@@ -203,8 +203,8 @@ def __init__(self,
             raise ValueError("HTTP redirects need a location to redirect to.")
         super().__init__(headers=headers, reason=reason,
                          text=text, content_type=content_type)
-        self.headers['Location'] = str(location)
         self._location = URL(location)
+        self.headers['Location'] = str(self.location)
 
     @property
     def location(self) -> URL:

diff --git a/tests/test_web_exceptions.py b/tests/test_web_exceptions.py
@@ -133,6 +133,11 @@ def test_HTTPFound_empty_location() -> None:
         web.HTTPFound(location=None)
 
 
+def test_HTTPFound_location_CRLF() -> None:
+    exc = web.HTTPFound(location='/redirect\r\n')
+    assert '\r\n' not in exc.headers['Location']
+
+
 async def test_HTTPMethodNotAllowed() -> None:
     exc = web.HTTPMethodNotAllowed('GET', ['POST', 'PUT'])
     assert 'GET' == exc.method