Comments (7)
Hi,
Thank you for the report.
I've tested your entries :
from requests import get
entries = [
'\x00',
'\x07',
'invalid"',
'invalid/'
]
for entry in entries:
r = get(
"https://httpbin.org/headers",
headers={
entry: "test"
}
)
print(
entry,
"KO" if r.status_code == 400 else "OK"
)
KO = does not work and the remote server responds with 400/INVALID REQUEST
OK = Fine
- 'invalid"' is KO
- 'invalid/' is OK
- '\x07' is KO
- '\x00' is KO
from kiss-headers.
Further tests on the '/' indicate that this character is allowed anywhere, beginning, ending, multiple times.
from kiss-headers.
More:
from kiss_headers import parse_it
from kiss_headers.utils import is_legal_header_name
from requests import get, post
if __name__ == "__main__":
entries = [
'invalid/',
'/invalid',
'/',
'//invalid/'
]
for entry in entries:
r = get(
"https://httpbin.org/headers",
headers={
entry: "test"
}
)
print(
entry,
"KO" if r.status_code == 400 else "OK",
f"is_legal_header_name({is_legal_header_name(entry)})"
)
from kiss-headers.
cf. PR #42
- v2.2.4
from kiss-headers.
Remote server of httpgin.org is "gunicorn" which not always follow the original source (RFCs),
even more widely used server such as the nginx, is a followling of the original source.
One more thing, the "\x7f" maybe risky for commandline environment (terminal) such as logging to some kind of console.
Fine, we can say the meaning of the 7F unicode codepoint has been unclear, it all depends.
Anyway, what I cause this issue is only because of the RFC defined below:
RFC2616 https://tools.ietf.org/html/rfc2616#page-17
message-header = field-name ":" [ field-value ]
field-name = token
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
RFC7230 https://tools.ietf.org/html/rfc7230#page-27
... Delimiters are chosen from the set of US-ASCII
visual characters not allowed in a token
(DQUOTE and "(),/:;<=>?@[\]{}").
header-field = field-name ":" OWS field-value OWS
field-name = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
which said separators or delimiters are excepted (the "/" is not allowed).
from kiss-headers.
We have to be flexible regarding the RFC. I did not say that httpbin was RFC compliant.
Flexible but not too much.
For ref, look at encode/httpx#1363 + all related topics/issues on httpx deps.
from kiss-headers.
from kiss-headers.
Related Issues (5)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kiss-headers.