diff -r 66d0f6ef2a7f Lib/http/server.py --- a/Lib/http/server.py Thu Feb 28 18:03:16 2013 +0200 +++ b/Lib/http/server.py Tue Mar 05 12:00:52 2013 -0500 @@ -401,12 +401,17 @@ while not self.close_connection: self.handle_one_request() - def send_error(self, code, message=None): + def send_error(self, code, message=None, explain=None): """Send and log an error reply. - Arguments are the error code, and a detailed message. - The detailed message defaults to the short entry matching the - response code. + Arguments are + * code: an HTTP error code + 3 digits + * message: a simple optional 1 line reason phrase. + *( HTAB / SP / VCHAR / %x80-FF ) + defaults to short entry matching the response code + * explain: a detailed message defaults to the long entry + matching the response code. This sends an error response (so it must be called before any output has been generated), logs the error, and finally sends @@ -420,11 +425,12 @@ shortmsg, longmsg = '???', '???' if message is None: message = shortmsg - explain = longmsg + if explain is None: + explain = longmsg self.log_error("code %d, message %s", code, message) # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201) content = (self.error_message_format % - {'code': code, 'message': _quote_html(message), 'explain': explain}) + {'code': code, 'message': message, 'explain': _quote_html(explain)}) self.send_response(code, message) self.send_header("Content-Type", self.error_content_type) self.send_header('Connection', 'close') @@ -452,6 +458,14 @@ message = self.responses[code][0] else: message = '' + # Do not injection of newline in the status line + try: + if any('\n' is newline + or '\r' is newline + or '\r\n' is newline for newline in message): + raise ValueError + except ValueError: + message = "HTTP reason phrase contained illegal newline(s)." if self.request_version != 'HTTP/0.9': if not hasattr(self, '_headers_buffer'): self._headers_buffer = []