Bug report

Bug description:

Vulnerability Description

The send_header method in Lib/http/server.py writes headers directly to the output stream without checking for line breaks. When user-controlled input is passed to send_header, an attacker can inject CRLF sequences (\r\n) to terminate the current header and inject new headers or manipulate the response.

Vulnerable Code:

def send_header(self, keyword, value):
    """Send a MIME header to the headers buffer."""
    if self.request_version != 'HTTP/0.9':
        if not hasattr(self, '_headers_buffer'):
            self._headers_buffer = []
        self._headers_buffer.append(
            ("%s: %s\r\n" % (keyword, value)).encode('latin-1', 'strict'))
    # No validation for \r or \n characters!

Attack Scenarios

Scenario 1: Set-Cookie Injection (Session Fixation)

Vulnerable Application:

from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import parse_qs, urlparse

class VulnerableHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        query = parse_qs(urlparse(self.path).query)
        custom_val = query.get('val', [''])[0]
        
        self.send_response(200)
        # VULNERABLE: Direct injection into header
        self.send_header('X-Custom', custom_val)
        self.end_headers()
        self.wfile.write(b"Hello World")

Attack URL:

http://localhost:8000/?val=test%0d%0aSet-Cookie:%20pwned=true

Result:

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.x
Date: ...
X-Custom: test
Set-Cookie: pwned=true

Impact: Attacker can inject session cookies, leading to session fixation attacks.

Scenario 2: Location Header Injection (Malicious Redirect)

Attack URL:

http://localhost:8000/?val=test%0d%0ALocation:%20http://evil.com/

Result:

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.x
Date: ...
X-Custom: test
Location: http://evil.com/

Impact:

• Users are redirected to malicious websites
• Phishing attacks
• Open redirect vulnerabilities
• Cache poisoning (if cached responses include the injected Location header)

Verified Test Results:

✓ LOCATION HEADER INJECTION CONFIRMED!
  Injected Location: http://evil.com/
✓ MALICIOUS REDIRECT CONFIRMED!
  Browser would redirect to: http://evil.com/
✓ MALICIOUS REDIRECT SUCCESSFUL!

Attack Vector

• Type: Remote
• Prerequisites:
  • Application uses http.server.BaseHTTPRequestHandler
  • User input is reflected in HTTP headers via send_header()
  • Common patterns: query parameters, user-agent reflection, custom headers
• Complexity: Low - Simple URL manipulation
• Authentication: Not required

Impact

1. Session Fixation: Inject Set-Cookie headers to control user sessions
2. Malicious Redirects: Inject Location headers to redirect users to attacker-controlled sites
3. Cache Poisoning: Inject headers that affect cached responses
4. Cross-Site Scripting (XSS): Inject headers that enable XSS attacks
5. Web Cache Deception: Manipulate cache behavior via injected headers

CPython versions tested on:

CPython main branch

Operating systems tested on:

macOS

Linked PRs

• gh-142533: Prevent CRLF injection in HTTP headers #142605
• gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules #143395
• [3.14] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) #148020
• [3.13] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) #148021