From 826bfc7e8806e41c52b343ec7f9544c40e1f6b8c Mon Sep 17 00:00:00 2001 From: Benoit Chesneau Date: Sun, 19 Apr 2026 12:05:00 +0200 Subject: [PATCH] test: add failing fixtures for control chars in header value --- .../invalid/rfc9110_field_value_ctl_bel_01.http | 4 ++++ .../requests/invalid/rfc9110_field_value_ctl_bel_01.py | 10 ++++++++++ .../invalid/rfc9110_field_value_ctl_del_01.http | 4 ++++ .../requests/invalid/rfc9110_field_value_ctl_del_01.py | 9 +++++++++ 4 files changed, 27 insertions(+) create mode 100644 tests/requests/invalid/rfc9110_field_value_ctl_bel_01.http create mode 100644 tests/requests/invalid/rfc9110_field_value_ctl_bel_01.py create mode 100644 tests/requests/invalid/rfc9110_field_value_ctl_del_01.http create mode 100644 tests/requests/invalid/rfc9110_field_value_ctl_del_01.py diff --git a/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.http b/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.http new file mode 100644 index 00000000..de9cee5e --- /dev/null +++ b/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.http @@ -0,0 +1,4 @@ +GET /foo HTTP/1.1\r\n +Host: example.com\r\n +X-Value: plain\x07injected\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.py b/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.py new file mode 100644 index 00000000..4203cfe9 --- /dev/null +++ b/tests/requests/invalid/rfc9110_field_value_ctl_bel_01.py @@ -0,0 +1,10 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 5.5: field-value characters are field-vchar (VCHAR + +# obs-text) plus SP/HTAB. Control characters other than HTAB must not +# appear, to prevent log/response injection and parser confusion. +from gunicorn.http.errors import InvalidHeader +request = InvalidHeader +python_only = True diff --git a/tests/requests/invalid/rfc9110_field_value_ctl_del_01.http b/tests/requests/invalid/rfc9110_field_value_ctl_del_01.http new file mode 100644 index 00000000..88760579 --- /dev/null +++ b/tests/requests/invalid/rfc9110_field_value_ctl_del_01.http @@ -0,0 +1,4 @@ +GET /foo HTTP/1.1\r\n +Host: example.com\r\n +X-Value: plain\x7finjected\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_field_value_ctl_del_01.py b/tests/requests/invalid/rfc9110_field_value_ctl_del_01.py new file mode 100644 index 00000000..cd6cd1aa --- /dev/null +++ b/tests/requests/invalid/rfc9110_field_value_ctl_del_01.py @@ -0,0 +1,9 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 5.5: DEL (0x7F) is a control character and not a VCHAR; +# it must not appear in a field-value. +from gunicorn.http.errors import InvalidHeader +request = InvalidHeader +python_only = True