diff options
-rw-r--r-- | test/python/header_fields/wsgi.py | 9 | ||||
-rw-r--r-- | test/test_http_header.py | 38 |
2 files changed, 47 insertions, 0 deletions
diff --git a/test/python/header_fields/wsgi.py b/test/python/header_fields/wsgi.py new file mode 100644 index 00000000..bd1ba0e2 --- /dev/null +++ b/test/python/header_fields/wsgi.py @@ -0,0 +1,9 @@ +def application(environ, start_response): + + h = (k for k, v in environ.items() if k.startswith('HTTP_')) + + start_response('200', [ + ('Content-Length', '0'), + ('All-Headers', ','.join(h)) + ]) + return [] diff --git a/test/test_http_header.py b/test/test_http_header.py index b1c77066..fdb557cf 100644 --- a/test/test_http_header.py +++ b/test/test_http_header.py @@ -431,3 +431,41 @@ Connection: close )['status'] == 400 ), 'Host multiple fields' + + def test_http_discard_unsafe_fields(self): + self.load('header_fields') + + def check_status(header): + resp = self.get( + headers={ + 'Host': 'localhost', + header: 'blah', + 'Connection': 'close', + } + ) + + assert resp['status'] == 200 + return resp + + resp = check_status("!Custom-Header") + assert 'CUSTOM' not in resp['headers']['All-Headers'] + + resp = check_status("Custom_Header") + assert 'CUSTOM' not in resp['headers']['All-Headers'] + + assert 'success' in self.conf( + {'http': {'discard_unsafe_fields': False}}, 'settings', + ) + + resp = check_status("!#$%&'*+.^`|~Custom_Header") + assert 'CUSTOM' in resp['headers']['All-Headers'] + + assert 'success' in self.conf( + {'http': {'discard_unsafe_fields': True}}, 'settings', + ) + + resp = check_status("!Custom-Header") + assert 'CUSTOM' not in resp['headers']['All-Headers'] + + resp = check_status("Custom_Header") + assert 'CUSTOM' not in resp['headers']['All-Headers'] |