Add error handling for invalid redirect path in StaticFileHandler

crystal-lang · Jan 22, 2018 · 0c2b028 · 0c2b028
1 parent ff02d2d
commit 0c2b028
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/spec/std/http/server/handlers/static_file_handler_spec.cr b/spec/std/http/server/handlers/static_file_handler_spec.cr
@@ -124,4 +124,9 @@ describe HTTP::StaticFileHandler do
       response.status_code.should eq(400)
     end
   end
+
+  it "handles invalid redirect path" do
+    response = handle HTTP::Request.new("GET", "test.txt%0A")
+    response.status_code.should eq(400)
+  end
 end
diff --git a/src/http/server/handlers/static_file_handler.cr b/src/http/server/handlers/static_file_handler.cr
@@ -100,7 +100,10 @@ class HTTP::StaticFileHandler
     context.response.status_code = 302
 
     url = URI.escape(url) { |b| URI.unreserved?(b) || b != '/' }
-    context.response.headers.add "Location", url
+    unless context.response.headers.add? "Location", url
+      # Bad request if location is invalid header value
+      context.response.status_code = 400
+    end
   end
 
   private def mime_type(path)