For webhook integration, validate each header line separately

CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 - Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection
 - Fix List-Unsubscribe email header value: add angle brackets
 - Unsubscribe links serve a form, and require HTTP POST to actually unsubscribe
+- For webhook integration, validate each header line separately
 
 
 ## v1.11.0 - 2019-11-22

hc/front/forms.py

@@ -27,7 +27,7 @@ class HeadersField(forms.Field):
             if not line.strip():
                 continue
 
-            if ":" not in value:
+            if ":" not in line:
                 raise ValidationError(self.message)
 
             n, v = line.split(":", maxsplit=1)

hc/front/tests/test_add_webhook.py

@@ -122,12 +122,12 @@ class AddWebhookTestCase(BaseTestCase):
         form = {
             "method_down": "GET",
             "url_down": "http://example.org",
-            "headers_down": "invalid-headers",
+            "headers_down": "invalid-header\nfoo:bar",
             "method_up": "GET",
         }
 
         r = self.client.post(self.url, form)
-        self.assertContains(r, """invalid-headers""")
+        self.assertContains(r, """invalid-header""")
         self.assertEqual(Channel.objects.count(), 0)
 
     def test_it_strips_headers(self):