-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strictly require ASCII headers names and values #137
Conversation
-1 |
@asvetlov I wonder why if the main specification tell the other? If some server doesn't follows the RFC there are too many places where his support may be broken. |
I afraid the spec describes desired situation, not the status quo. Sure, non-ascii headers are evil but personally I would like to have support for it if possible. |
Well, my motivation for this change was dictated on two aspects:
|
@fafhrd91 @popravich your thoughts? |
RFCs are good but I agree with @asvetlov -- we should support non-ascii headers. $ telnet httpbin.org 80
Trying 107.20.143.59...
Connected to httpbin.org.
Escape character is '^]'.
GET /cookies HTTP/1.1
Host: httpbin.org
Cookie: key1=тест
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Wed, 13 Aug 2014 15:08:42 GMT
Server: gunicorn/18.0
Content-Length: 61
Connection: keep-alive
{
"cookies": {
"key1": "\u0442\u0435\u0441\u0442"
}
} same with aiohttp: import asyncio, aiohttp
loop = asyncio.get_event_loop()
req = aiohttp.request('get', 'http://httpbin.org/cookies', cookies={'key': 'тест'})
resp = loop.run_until_complete(req)
loop.run_until_complete(resp.json())
# {'cookies': {'key': 'тест'}} so I don't see a big problem in non-ascii headers. |
Here is the problem:
|
-1 for header values |
agree to @fafhrd91 |
Ok, what about handling header names/values as bytes if only they are printable ascii? |
printable ascii is too complicated. lets enforce ascii for header names for now. |
@kxepal could you change your PR, I'd like to make another release during weekend |
Yes, I will, just waited for the feedback on ASCII bytes. I'm ok with, however, this wouldn't change things a lot: according RFC only printable ASCII are allowed for headers name/values and they are strongly recommended to be lesser than 0x80 char, so it's only matter of single decode call. Will update PR in a moment. |
Done with new commit message. |
Everyone happy with proposed changes? Can I merge it? |
Sorry for delay. I don't like isinstance check. |
@fafhrd91 isinstance for name or value? |
For both. I am happy with asserts On Thursday, August 28, 2014, Andrew Svetlov [email protected]
|
@fafhrd91 assert isn't the right way to check the things since 1) it can be stripped from compiled bytecode (and nothings it will guard after that) 2) it raises semantically wrong error type for the our constraint 3) you still have to provide meaningful error message and for assertion long descriptions leads to ugly code |
if you create application that can send wrong header in production mode then you doomed :) |
@fafhrd91 fair enough, thought still don't feel that's right. I'll update PR. |
Header value still can have unicode values. Also raise proper exception for invalid type or value with a friendly error message. See http://tools.ietf.org/html/rfc7230#section-3.2.4 for more info.
Done. Thought, it still wouldn't protect you completely since different servers reacts differently on punctuation characters in header name. |
Everything is tradeoff. If you are that bad and put punctuation into header On Friday, August 29, 2014, Alexander Shorin [email protected]
|
Strictly require ASCII headers names and values
Allowing non-ASCII headers names and values may eventually cause some
nasty errors which may be hard to debug.
Also, this change allows to pass headers name and values as bytes in
case when they fulfils the requirements. Very useful when header have
to contain some base64 encoded value which is in bytes by default.