We are too restrictive on the list of characters that are allowed to be
used in "header name" for the --add-headers option.
The http specification a larger set of characters for header names.
Adding the following ones: !#$%&*+^_|
Still, even if no issue is to be expected, I would not advice anyone to
use any of these chars for a header name.
... | ... |
@@ -383,7 +383,7 @@ class Config(object): |
383 | 383 |
if cp.get('add_headers'): |
384 | 384 |
for option in cp.get('add_headers').split(","): |
385 | 385 |
(key, value) = option.split(':') |
386 |
- self.extra_headers[key.replace('_', '-').strip()] = value.strip() |
|
386 |
+ self.extra_headers[key.strip()] = value.strip() |
|
387 | 387 |
|
388 | 388 |
self._parsed_files.append(configfile) |
389 | 389 |
|
... | ... |
@@ -2835,13 +2835,16 @@ def main(): |
2835 | 2835 |
key, val = unicodise_s(hdr).split(":", 1) |
2836 | 2836 |
except ValueError: |
2837 | 2837 |
raise ParameterError("Invalid header format: %s" % unicodise_s(hdr)) |
2838 |
- key_inval = re.sub("[a-zA-Z0-9-.]", "", key) |
|
2838 |
+ # key char restrictions of the http headers name specification |
|
2839 |
+ key_inval = re.sub(r"[a-zA-Z0-9\-.!#$%&*+^_|]", "", key) |
|
2839 | 2840 |
if key_inval: |
2840 | 2841 |
key_inval = key_inval.replace(" ", "<space>") |
2841 | 2842 |
key_inval = key_inval.replace("\t", "<tab>") |
2842 |
- raise ParameterError("Invalid character(s) in header name '%s': \"%s\"" % (key, key_inval)) |
|
2843 |
- debug(u"Updating Config.Config extra_headers[%s] -> %s" % (key.replace('_', '-').strip().lower(), val.strip())) |
|
2844 |
- cfg.extra_headers[key.replace('_', '-').strip().lower()] = val.strip() |
|
2843 |
+ raise ParameterError("Invalid character(s) in header name '%s'" |
|
2844 |
+ ": \"%s\"" % (key, key_inval)) |
|
2845 |
+ debug(u"Updating Config.Config extra_headers[%s] -> %s" % |
|
2846 |
+ (key.strip().lower(), val.strip())) |
|
2847 |
+ cfg.extra_headers[key.strip().lower()] = val.strip() |
|
2845 | 2848 |
|
2846 | 2849 |
# Process --remove-header |
2847 | 2850 |
if options.remove_headers: |