Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules #143395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vstinner merged 8 commits into from
Apr 2, 2026
+9 −0
Merged

gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules #143395

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b1edcf8
gh-142533: Document CRLF injection vulnerability in http.server and w…
tadejmagajna Jan 3, 2026
39c5198
gh-142533: Remove reduntant NEWS entry
tadejmagajna Jan 4, 2026
2751d9b
gh-142533: Ensure CRLF is mentioned in the security consideration sec…
tadejmagajna Jan 4, 2026
d88da64
gh-142533: Added label and spacing
tadejmagajna Jan 4, 2026
57ff6a9
Merge branch 'main' into gh-142533-document-server-header-vulnerability
tadejmagajna Apr 1, 2026
0be4e58
gh-142533: Remove vulnerability warnings from wsgiref module document…
tadejmagajna Apr 1, 2026
3f8dd05
Accept commit suggestion reg. http header reference
tadejmagajna Apr 2, 2026
eb4fbfb
gh-142533: Document CRLF vulnerability also for send_response_only
tadejmagajna Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions 9 Doc/library/http.server.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,8 @@ instantiation, of which this module provides three different variants:
specifying its value. Note that, after the send_header calls are done,
:meth:`end_headers` MUST BE called in order to complete the operation.

This method does not reject input containing CRLF sequences.

.. versionchanged:: 3.2
Headers are stored in an internal buffer.

Expand All @@ -297,6 +299,8 @@ instantiation, of which this module provides three different variants:
buffered and sent directly the output stream.If the *message* is not
specified, the HTTP message corresponding the response *code* is sent.

This method does not reject *message* containing CRLF sequences.

.. versionadded:: 3.2

.. method:: end_headers()
Expand Down Expand Up @@ -555,6 +559,11 @@ Security considerations
requests, this makes it possible for files outside of the specified directory
to be served.

Methods :meth:`BaseHTTPRequestHandler.send_header` and
:meth:`BaseHTTPRequestHandler.send_response_only` assume sanitized input
and does not perform input validation such as checking for the presence of CRLF
sequences. Untrusted input may result in HTTP Header injection attacks.

Earlier versions of Python did not scrub control characters from the
log messages emitted to stderr from ``python -m http.server`` or the
default :class:`BaseHTTPRequestHandler` ``.log_message``
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.