Klaus Demo bjoern / 9fd4d60
CVE-2015-0219 See https://www.djangoproject.com/weblog/2015/jan/13/security/ Jonas Haag 5 years ago
1 changed file(s) with 16 addition(s) and 16 deletion(s). Raw diff Collapse all Expand all
9999 _set_header(k, val); \
100100 Py_DECREF(val); \
101101 } while(0)
102 #define _set_header_free_both(k, v) \
102
103 #define _set_header_from_http_header() \
103104 do { \
104 PyObject* key = (k); \
105 PyObject* val = (v); \
106 _set_header(key, val); \
107 Py_DECREF(key); \
108 Py_DECREF(val); \
109 } while(0)
105 PyObject* key = wsgi_http_header(PARSER->field); \
106 if (key) { \
107 _set_header_free_value(key, PyString_FromStringAndSize(PARSER->value.data, PARSER->value.len)); \
108 Py_DECREF(key); \
109 } \
110 } while(0) \
110111
111112 static int
112113 on_message_begin(http_parser* parser)
138139 {
139140 if(PARSER->value.data) {
140141 /* Store previous header and start a new one */
141 _set_header_free_both(
142 wsgi_http_header(PARSER->field),
143 PyString_FromStringAndSize(PARSER->value.data, PARSER->value.len)
144 );
142 _set_header_from_http_header();
145143 } else if(PARSER->field.data) {
146144 UPDATE_LENGTH(field);
147145 return 0;
167165 on_headers_complete(http_parser* parser)
168166 {
169167 if(PARSER->field.data) {
170 _set_header_free_both(
171 wsgi_http_header(PARSER->field),
172 PyString_FromStringAndSize(PARSER->value.data, PARSER->value.len)
173 );
168 _set_header_from_http_header();
174169 }
175170 return 0;
176171 }
258253
259254 while(header.len--) {
260255 char c = *header.data++;
261 if(c == '-')
256 if (c == '_') {
257 // CVE-2015-0219
258 Py_DECREF(obj);
259 return NULL;
260 }
261 else if(c == '-')
262262 *dest++ = '_';
263263 else if(c >= 'a' && c <= 'z')
264264 *dest++ = c - ('a'-'A');