summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--test/python/header_fields/wsgi.py9
-rw-r--r--test/test_http_header.py38
2 files changed, 47 insertions, 0 deletions
diff --git a/test/python/header_fields/wsgi.py b/test/python/header_fields/wsgi.py
new file mode 100644
index 00000000..bd1ba0e2
--- /dev/null
+++ b/test/python/header_fields/wsgi.py
@@ -0,0 +1,9 @@
+def application(environ, start_response):
+
+ h = (k for k, v in environ.items() if k.startswith('HTTP_'))
+
+ start_response('200', [
+ ('Content-Length', '0'),
+ ('All-Headers', ','.join(h))
+ ])
+ return []
diff --git a/test/test_http_header.py b/test/test_http_header.py
index b1c77066..fdb557cf 100644
--- a/test/test_http_header.py
+++ b/test/test_http_header.py
@@ -431,3 +431,41 @@ Connection: close
)['status']
== 400
), 'Host multiple fields'
+
+ def test_http_discard_unsafe_fields(self):
+ self.load('header_fields')
+
+ def check_status(header):
+ resp = self.get(
+ headers={
+ 'Host': 'localhost',
+ header: 'blah',
+ 'Connection': 'close',
+ }
+ )
+
+ assert resp['status'] == 200
+ return resp
+
+ resp = check_status("!Custom-Header")
+ assert 'CUSTOM' not in resp['headers']['All-Headers']
+
+ resp = check_status("Custom_Header")
+ assert 'CUSTOM' not in resp['headers']['All-Headers']
+
+ assert 'success' in self.conf(
+ {'http': {'discard_unsafe_fields': False}}, 'settings',
+ )
+
+ resp = check_status("!#$%&'*+.^`|~Custom_Header")
+ assert 'CUSTOM' in resp['headers']['All-Headers']
+
+ assert 'success' in self.conf(
+ {'http': {'discard_unsafe_fields': True}}, 'settings',
+ )
+
+ resp = check_status("!Custom-Header")
+ assert 'CUSTOM' not in resp['headers']['All-Headers']
+
+ resp = check_status("Custom_Header")
+ assert 'CUSTOM' not in resp['headers']['All-Headers']