test: add failing fixtures for control chars in header value

This commit is contained in:
Benoit Chesneau 2026-04-19 12:05:00 +02:00
parent 9f7f930a81
commit 826bfc7e88
4 changed files with 27 additions and 0 deletions

View File

@ -0,0 +1,4 @@
GET /foo HTTP/1.1\r\n
Host: example.com\r\n
X-Value: plain\x07injected\r\n
\r\n

View File

@ -0,0 +1,10 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9110 section 5.5: field-value characters are field-vchar (VCHAR +
# obs-text) plus SP/HTAB. Control characters other than HTAB must not
# appear, to prevent log/response injection and parser confusion.
from gunicorn.http.errors import InvalidHeader
request = InvalidHeader
python_only = True

View File

@ -0,0 +1,4 @@
GET /foo HTTP/1.1\r\n
Host: example.com\r\n
X-Value: plain\x7finjected\r\n
\r\n

View File

@ -0,0 +1,9 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9110 section 5.5: DEL (0x7F) is a control character and not a VCHAR;
# it must not appear in a field-value.
from gunicorn.http.errors import InvalidHeader
request = InvalidHeader
python_only = True