[Web-SIG] Newline values in WSGI response header values.
graham.dumpleton at gmail.com
Thu Jun 12 10:02:38 CEST 2008
Can anyone confirm for me what the behaviour should be if someone
includes a newline in the value of a WSGI response header?
CGI specification would seem to disallow it and thus WSGI adapter
should by rights possibly produce an error if user code does it.
At the moment I know of no WSGI adapter implementation which validates
whether a newline appears in the value of a WSGI response header. For
many WSGI adapters this means that a header of:
Key1: "Value1\r\nKey2: Value2"
will actually translate into two separate headers being sent back to client.
For a header of:
in a WSGI adapter which simply passes things through, the client would
get an invalid header line, which in general it would ignore. If
however this was generated when hosted with a CGI-WSGI adapter, for
Apache at least, Apache would generate a 500 error itself due to
detected a header line of invalid format.
Thus, is an embedded newline in value invalid? Would it be reasonable
for a WSGI adapter to flag it as an error?
More information about the Web-SIG