From 789e2f135f361d26adda67918fe3f7c4b6ec01b8 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Tue, 28 Jul 2020 14:08:17 +0100
Subject: [PATCH] Disallow invalid header characters (#725)

* Disallow invalid header characters

* Linting

* Fix escape sequence
---
 uvicorn/protocols/http/httptools_impl.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/uvicorn/protocols/http/httptools_impl.py b/uvicorn/protocols/http/httptools_impl.py
index 7a60733ce..18161e1e9 100644
--- a/uvicorn/protocols/http/httptools_impl.py
+++ b/uvicorn/protocols/http/httptools_impl.py
@@ -1,6 +1,7 @@
 import asyncio
 import http
 import logging
+import re
 import urllib
 
 import httptools
@@ -13,6 +14,9 @@
     is_ssl,
 )
 
+HEADER_RE = re.compile(b'[\x00-\x1F\x7F()<>@,;:[]={} \t\\"]')
+HEADER_VALUE_RE = re.compile(b"[\x00-\x1F\x7F]")
+
 
 def _get_status_line(status_code):
     try:
@@ -459,6 +463,11 @@ async def send(self, message):
             content = [STATUS_LINE[status_code]]
 
             for name, value in headers:
+                if HEADER_RE.search(name):
+                    raise RuntimeError("Invalid HTTP header name.")
+                if HEADER_VALUE_RE.search(value):
+                    raise RuntimeError("Invalid HTTP header value.")
+
                 name = name.lower()
                 if name == b"content-length" and self.chunked_encoding is None:
                     self.expected_content_length = int(value.decode())