From a1119ad313670bccc1477070a7ad8b112f15f4e7 Mon Sep 17 00:00:00 2001
From: RA <70325462+RAprogramm@users.noreply.github.com>
Date: Sat, 27 Sep 2025 13:17:44 +0700
Subject: [PATCH] Validate legacy error response statuses

---
 src/response/legacy.rs | 36 ++++++++++++++++++++++++++----------
 src/response/tests.rs  | 11 ++++++++++-
 2 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/src/response/legacy.rs b/src/response/legacy.rs
index a11489a..217e6fd 100644
--- a/src/response/legacy.rs
+++ b/src/response/legacy.rs
@@ -1,3 +1,5 @@
+use http::StatusCode;
+
 use super::core::ErrorResponse;
 use crate::AppCode;
 
@@ -12,15 +14,29 @@ impl ErrorResponse {
     /// ease migration from versions prior to 0.3.0.
     #[must_use]
     pub fn new_legacy(status: u16, message: impl Into<String>) -> Self {
-        let msg = message.into();
-        Self::new(status, AppCode::Internal, msg.clone()).unwrap_or(Self {
-            status:           500,
-            code:             AppCode::Internal,
-            message:          msg,
-            details:          None,
-            retry:            None,
-            www_authenticate: None
-        })
+        match StatusCode::from_u16(status) {
+            Ok(_) => {
+                let message = message.into();
+                Self {
+                    status,
+                    code: AppCode::Internal,
+                    message,
+                    details: None,
+                    retry: None,
+                    www_authenticate: None
+                }
+            }
+            Err(_) => {
+                let message = message.into();
+                Self {
+                    status: 500,
+                    code: AppCode::Internal,
+                    message,
+                    details: None,
+                    retry: None,
+                    www_authenticate: None
+                }
+            }
+        }
     }
 }
-use alloc::string::String;
diff --git a/src/response/tests.rs b/src/response/tests.rs
index 68c8117..bd9cbdb 100644
--- a/src/response/tests.rs
+++ b/src/response/tests.rs
@@ -365,7 +365,16 @@ fn display_is_concise_and_does_not_leak_details() {
 #[allow(deprecated)]
 #[test]
 fn new_legacy_defaults_to_internal_code() {
-    let e = ErrorResponse::new_legacy(500, "boom");
+    let e = ErrorResponse::new_legacy(404, "boom");
+    assert_eq!(e.status, 404);
+    assert!(matches!(e.code, AppCode::Internal));
+    assert_eq!(e.message, "boom");
+}
+
+#[allow(deprecated)]
+#[test]
+fn new_legacy_invalid_status_falls_back_to_internal_error() {
+    let e = ErrorResponse::new_legacy(0, "boom");
     assert_eq!(e.status, 500);
     assert!(matches!(e.code, AppCode::Internal));
     assert_eq!(e.message, "boom");