You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When setting a header on a request, the header value can contain a newline (also with CR LF). This is not allowed in the HTTP specification and prematurely ends the request.
To Reproduce
Listen on a local port with netcat or similar nc -l 45328
Open a python async repl python -m asyncio
Enter the following
import aiohttp
headers = { "test": "with newline\n" }
async with aiohttp.ClientSession() as session:
await session.post("http://localhost:45328", data=b"test payload", headers=headers)
Observe that the output from netcat shows an empty line in the middle of the request
Expected behavior
I expect an error to be raised because the header value is not allowed.
Logs/tracebacks
REPL:
> python -m asyncio
asyncio REPL 3.9.9
[Clang 13.0.0 (clang-1300.0.29.3)] on darwin
Use "await" directly instead of "asyncio.run()".
Type "help", "copyright", "credits" or "license" for more information.
>>> import asyncio
>>> import aiohttp
>>> headers = { "test": "with newline\n" }
>>> async with aiohttp.ClientSession() as session:
... await session.post("http://localhost:45328", data=b"test payload", headers=headers)
Netcat:
> nc -l 45328
POST / HTTP/1.1
Host: localhost:45328
test: with newline
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Python/3.9 aiohttp/3.7.4.post0
Content-Length: 12
Content-Type: application/octet-stream
test payload%
Python Version
Python 3.9.9
aiohttp Version
Name: aiohttpVersion: 3.7.4.post0
multidict Version
Name: multidictVersion: 5.2.0
yarl Version
Name: yarlVersion: 1.7.2
OS
macOS
Related component
Client
Additional context
No response
Code of Conduct
I agree to follow the aio-libs Code of Conduct
The text was updated successfully, but these errors were encountered:
Describe the bug
When setting a header on a request, the header value can contain a newline (also with CR LF). This is not allowed in the HTTP specification and prematurely ends the request.
To Reproduce
nc -l 45328
python -m asyncio
Expected behavior
I expect an error to be raised because the header value is not allowed.
Logs/tracebacks
REPL:
Netcat:
Python Version
Python 3.9.9
aiohttp Version
multidict Version
yarl Version
OS
macOS
Related component
Client
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: