blob: 5a9a2879865dae11183f68f4c74dd6fc915d0ed1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
From 5897923d523b357f93eb844e386bcc52c5490cdc Mon Sep 17 00:00:00 2001
From: Tom Most <twm@freecog.net>
Date: Mon, 7 Mar 2022 00:03:50 -0800
Subject: [PATCH] Strip only spaces and tabs from header values
Upstream-Status: Backport [https://github.com/twisted/twisted/commit/c3a4e1d015740c1d87a3ec7d57570257e75b0062]
CVE: CVE-2022-24801
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/twisted/web/http.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
index 5491953..262da0b 100644
--- a/src/twisted/web/http.py
+++ b/src/twisted/web/http.py
@@ -2327,7 +2327,7 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
return False
header = header.lower()
- data = data.strip()
+ data = data.strip(b" \t")
if not self._maybeChooseTransferDecoder(header, data):
return False
|
