Fix another potential XSS issue, and add test for the previous one.

dulwich/tests/test_web.py

@@ -306,8 +306,9 @@ class SmartHandlersTestCase(WebTestCase):
 
     def test_handle_service_request_unknown(self):
         mat = re.search('.*', '/git-evil-handler')
-        list(handle_service_request(self._req, 'backend', mat))
+        content = list(handle_service_request(self._req, 'backend', mat))
         self.assertEqual(HTTP_FORBIDDEN, self._status)
+        self.assertFalse('git-evil-handler' in "".join(content))
         self.assertFalse(self._req.cached)
 
     def _run_handle_service_request(self, content_length=None):
@@ -337,7 +338,8 @@ class SmartHandlersTestCase(WebTestCase):
 
     def test_get_info_refs_unknown(self):
         self._environ['QUERY_STRING'] = 'service=git-evil-handler'
-        list(get_info_refs(self._req, 'backend', None))
+        content = list(get_info_refs(self._req, 'backend', None))
+        self.assertFalse('git-evil-handler' in "".join(content))
         self.assertEqual(HTTP_FORBIDDEN, self._status)
         self.assertFalse(self._req.cached)
 

dulwich/web.py

@@ -222,7 +222,7 @@ def handle_service_request(req, backend, mat):
     logger.info('Handling service request for %s', service)
     handler_cls = req.handlers.get(service, None)
     if handler_cls is None:
-        yield req.forbidden('Unsupported service %s' % service)
+        yield req.forbidden('Unsupported service')
         return
     req.nocache()
     write = req.respond(HTTP_OK, 'application/x-%s-result' % service)