Search code examples
pythonposthttp-headerstornado

ValueError: Unsafe header value

I have developed a quite big web application using Tornado 4.2. One of the handlers of my application is responsible for verifying the login details of the user through a post request.

Specifically in this handler I use signed cookies with set_secure_cookie to identify the logged in users and their permissions, using the below code: 

self.set_cookie("user", self.get_argument("username"), domain=".my-domain.com", expires_days=None, httpOnly=True) 
self.set_secure_cookie("access", str(data['permissions']), expires_days=None, httpOnly=True)

After setting the cookies I use Tornado's redirect to send the user to another URL.

self.redirect("/"+lang+"/base_fx.html")

On most cases it works as expected without any issue. However, for some users I get the below error.

       self.redirect("/"+lang+"/base_fx.html")   
File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 671, in redirect
        self.finish()   
File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 934, in finish
        self.flush(include_footers=True)   
File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 884, in flush
        self.add_header("Set-Cookie", cookie.OutputString(None))   
File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 339, in add_header
        self._headers.add(name, self._convert_header_value(value))   
File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 369, in
    _convert_header_value
        raise ValueError("Unsafe header value %r", value) 
ValueError: ('Unsafe header value %r', 'access="2|1:0|10:1485161516|6:access|3892:eydvd…<long string>..f0a2f8ad"; httponly; Path=/') 
ERROR:tornado.general:Cannot send error response after headers written

Has anyone came across a similar issue?

Solution

  • Georg Jung post pointed me to the right direction. The issue,ValueError: Unsafe header value, I have faced is related to two existing raised issues: 1473 and 1025 which have now been solved on the 4.3 version of Tornado. The issue for me was that some usernames were lengthier than some other resulting the header size for these usernames to be greater than 4000.

    So to properly solve this issue you can take one of the two actions below:

    1. Update your Tornado to a version equal or greater than 4.3.
    2. Or if you do not want to upgrade it, you can increase the limit of the header size to be 8000 or more. You can do that by changing the file web.py in the installed distribution of Tornado in your system.

    For example on a Debian system the path is:

    usr/lib/python3.2/dist-packages/tornado/web.py