Sanitize URL in Location header in redirects

m-burst · webknjaz · commit cc4fffdd6019 · 2019-02-17T22:35:42.000+01:00
PR aio-libs#3613 by @m-burst
diff --git a/CHANGES/3613.bugfix b/CHANGES/3613.bugfix
@@ -0,0 +1 @@
+Use sanitized URL as Location header in redirects
diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
@@ -152,6 +152,7 @@ Mathias Fröjdman
 Matthieu Hauglustaine
 Matthieu Rigal
 Michael Ihnatenko
+Mikhail Burshteyn
 Mikhail Kashkin
 Mikhail Lukyanchenko
 Mikhail Nacharov
diff --git a/aiohttp/web_exceptions.py b/aiohttp/web_exceptions.py
@@ -203,8 +203,8 @@ def __init__(self,
             raise ValueError("HTTP redirects need a location to redirect to.")
         super().__init__(headers=headers, reason=reason,
                          text=text, content_type=content_type)
-        self.headers['Location'] = str(location)
         self._location = URL(location)
+        self.headers['Location'] = str(self.location)
 
     @property
     def location(self) -> URL:
diff --git a/tests/test_web_exceptions.py b/tests/test_web_exceptions.py
@@ -133,6 +133,11 @@ def test_HTTPFound_empty_location() -> None:
         web.HTTPFound(location=None)
 
 
+def test_HTTPFound_location_CRLF() -> None:
+    exc = web.HTTPFound(location='/redirect\r\n')
+    assert '\r\n' not in exc.headers['Location']
+
+
 async def test_HTTPMethodNotAllowed() -> None:
     exc = web.HTTPMethodNotAllowed('GET', ['POST', 'PUT'])
     assert 'GET' == exc.method

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Use sanitized URL as Location header in redirects`