aio-libs · webknjaz · Feb 17, 2019 · Feb 17, 2019
@@ -0,0 +1 @@
+Use sanitized URL as Location header in redirects
@@ -152,6 +152,7 @@ Mathias Fröjdman
 Matthieu Hauglustaine
 Matthieu Rigal
 Michael Ihnatenko
+Mikhail Burshteyn
 Mikhail Kashkin
 Mikhail Lukyanchenko
 Mikhail Nacharov

@@ -203,8 +203,8 @@ def __init__(self,
             raise ValueError("HTTP redirects need a location to redirect to.")
         super().__init__(headers=headers, reason=reason,
                          text=text, content_type=content_type)
-        self.headers['Location'] = str(location)
         self._location = URL(location)
+        self.headers['Location'] = str(self.location)
 
     @property
     def location(self) -> URL:

@@ -133,6 +133,11 @@ def test_HTTPFound_empty_location() -> None:
         web.HTTPFound(location=None)
 
 
+def test_HTTPFound_location_CRLF() -> None:
+    exc = web.HTTPFound(location='/redirect\r\n')
+    assert '\r\n' not in exc.headers['Location']
+
+
 async def test_HTTPMethodNotAllowed() -> None:
     exc = web.HTTPMethodNotAllowed('GET', ['POST', 'PUT'])
     assert 'GET' == exc.method
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Use sanitized URL as Location header in redirects