This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Felix.Gröbert
Recipients Felix.Gröbert
Date 2011-03-25.12:14:56
SpamBayes Score 0.0005289676
Marked as misclassified No
Message-id <1301055298.41.0.957962483368.issue11671@psf.upfronthosting.co.za>
In-reply-to
Content 
As noted by security@python.org's response I'm filing this bug here.


In wsgiref.headers.Headers it is possible to include headers which
contain a newline (i.e. \n or \r) either through add_header or
__init__. It is not uncommon that developers provide web applications
to the public in which the HTTP response headers are not filtered for
newlines but are controlled by the user. In such scenarios a malicious
user can use a newline to inject another header or even initiate a
HTTP response body. The impact would be at least equivalent to XSS.
Therefore, I suggest to filter/warn/except header tuples which contain
the above characters upon assignment in wsgiref.headers.
History
Date User Action Args
2011-03-25 12:14:58Felix.Gröbertsetrecipients: + Felix.Gröbert
2011-03-25 12:14:58Felix.Gröbertsetmessageid: <1301055298.41.0.957962483368.issue11671@psf.upfronthosting.co.za>
2011-03-25 12:14:57Felix.Gröbertlinkissue11671 messages
2011-03-25 12:14:56Felix.Gröbertcreate
Morty Proxy This is a proxified and sanitized view of the page, visit original site.