Disallow newlines in reason

aio-libs · Sep 17, 2024 · a951374 · a951374
1 parent bf022b3
commit a951374
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/aiohttp/web_exceptions.py b/aiohttp/web_exceptions.py
@@ -99,6 +99,8 @@ def __init__(
         super().__init__()
         if reason is None:
             reason = self.default_reason
+        elif "\n" in reason:
+            raise ValueError("Reason cannot contain \\n")
 
         if text is None:
             if not self.empty_body:

diff --git a/aiohttp/web_response.py b/aiohttp/web_response.py
@@ -165,6 +165,8 @@ def set_status(
                 reason = HTTPStatus(self._status).phrase
             except ValueError:
                 reason = ""
+        if "\n" in reason:
+            raise ValueError("Reason cannot contain \\n")
         self._reason = reason
 
     @property

diff --git a/tests/test_web_exceptions.py b/tests/test_web_exceptions.py
@@ -183,6 +183,10 @@ def test_ctor_all(self) -> None:
         assert resp.reason == "Done"
         assert resp.status == 200
 
+    def test_multiline_reason(self) -> None:
+        with pytest.raises(ValueError, match=r"Reason cannot contain \\n"):
+            web.HTTPOk(reason="Bad\r\nInjected-header: foo")
+
     def test_pickle(self) -> None:
         resp = web.HTTPOk(
             headers={"X-Custom": "value"},

diff --git a/tests/test_web_response.py b/tests/test_web_response.py
@@ -1076,6 +1076,12 @@ async def test_render_with_body(buf: Any, writer: Any) -> None:
     )
 
 
+async def test_multiline_reason(buf: Any, writer: Any) -> None:
+    req = make_request("GET", "/", writer=writer)
+    with pytest.raises(ValueError, match=r"Reason cannot contain \\n"):
+        Response(reason="Bad\r\nInjected-header: foo")
+
+
 async def test_send_set_cookie_header(buf: Any, writer: Any) -> None:
     resp = Response()
     resp.cookies["name"] = "value"