From 37dbef401c97995e669fe6bfc9120b682908fc70 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Fri, 30 Aug 2019 11:18:36 -0700 Subject: [PATCH] Clear fewer headers on 1xx/204/304 responses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This function is called on more than just 304 responses; it’s important to permit the Allow header on 204 responses. Also, the relevant RFCs have changed significantly. Fixes #2726. Signed-off-by: Anders Kaseorg --- tornado/web.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tornado/web.py b/tornado/web.py index adbf591e50..41f9d4c398 100644 --- a/tornado/web.py +++ b/tornado/web.py @@ -1138,7 +1138,7 @@ def finish(self, chunk: Optional[Union[str, bytes, dict]] = None) -> "Future[Non assert not self._write_buffer, ( "Cannot send body with %s" % self._status_code ) - self._clear_headers_for_304() + self._clear_representation_headers() elif "Content-Length" not in self._headers: content_length = sum(len(part) for part in self._write_buffer) self.set_header("Content-Length", content_length) @@ -1803,20 +1803,15 @@ def render(*args, **kwargs) -> str: # type: ignore def _ui_method(self, method: Callable[..., str]) -> Callable[..., str]: return lambda *args, **kwargs: method(self, *args, **kwargs) - def _clear_headers_for_304(self) -> None: - # 304 responses should not contain entity headers (defined in - # http://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7.1) + def _clear_representation_headers(self) -> None: + # 304 responses should not representation metadata headers (defined in + # https://tools.ietf.org/html/rfc7231#section-3.1) # not explicitly allowed by - # http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5 + # https://tools.ietf.org/html/rfc7232#section-4.1 headers = [ - "Allow", "Content-Encoding", "Content-Language", - "Content-Length", - "Content-MD5", - "Content-Range", "Content-Type", - "Last-Modified", ] for h in headers: self.clear_header(h)