From be286518b7672476f955b12b3b69d493e9f3b44a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Fri, 27 Dec 2019 13:56:33 +0200 Subject: [PATCH] For webhook integration, validate each header line separately --- CHANGELOG.md | 1 + hc/front/forms.py | 2 +- hc/front/tests/test_add_webhook.py | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d9e2c7c..78b8aea2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file. - Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection - Fix List-Unsubscribe email header value: add angle brackets - Unsubscribe links serve a form, and require HTTP POST to actually unsubscribe +- For webhook integration, validate each header line separately ## v1.11.0 - 2019-11-22 diff --git a/hc/front/forms.py b/hc/front/forms.py index cd974cd9..70f3b4c7 100644 --- a/hc/front/forms.py +++ b/hc/front/forms.py @@ -27,7 +27,7 @@ class HeadersField(forms.Field): if not line.strip(): continue - if ":" not in value: + if ":" not in line: raise ValidationError(self.message) n, v = line.split(":", maxsplit=1) diff --git a/hc/front/tests/test_add_webhook.py b/hc/front/tests/test_add_webhook.py index 3e83d8e5..7e231db2 100644 --- a/hc/front/tests/test_add_webhook.py +++ b/hc/front/tests/test_add_webhook.py @@ -122,12 +122,12 @@ class AddWebhookTestCase(BaseTestCase): form = { "method_down": "GET", "url_down": "http://example.org", - "headers_down": "invalid-headers", + "headers_down": "invalid-header\nfoo:bar", "method_up": "GET", } r = self.client.post(self.url, form) - self.assertContains(r, """invalid-headers""") + self.assertContains(r, """invalid-header""") self.assertEqual(Channel.objects.count(), 0) def test_it_strips_headers(self):