For webhook integration, validate each header line separately

2019-12-27 13:56:33 +02:00 · 2019-12-27 13:56:33 +02:00 · be286518b7
commit be286518b7
parent 057a6fe56b
3 changed files with 4 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 - Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection
 - Fix List-Unsubscribe email header value: add angle brackets
 - Unsubscribe links serve a form, and require HTTP POST to actually unsubscribe
+- For webhook integration, validate each header line separately


 ## v1.11.0 - 2019-11-22
--- a/hc/front/forms.py
+++ b/hc/front/forms.py
@ -27,7 +27,7 @@ class HeadersField(forms.Field):
            if not line.strip():
                continue

-            if ":" not in value:
+            if ":" not in line:
                raise ValidationError(self.message)

            n, v = line.split(":", maxsplit=1)
--- a/hc/front/tests/test_add_webhook.py
+++ b/hc/front/tests/test_add_webhook.py
@ -122,12 +122,12 @@ class AddWebhookTestCase(BaseTestCase):
        form = {
            "method_down": "GET",
            "url_down": "http://example.org",
-            "headers_down": "invalid-headers",
+            "headers_down": "invalid-header\nfoo:bar",
            "method_up": "GET",
        }

        r = self.client.post(self.url, form)
-        self.assertContains(r, """invalid-headers""")
+        self.assertContains(r, """invalid-header""")
        self.assertEqual(Channel.objects.count(), 0)

    def test_it_strips_headers(self):