[New-bugs-announce] [issue11671] Potential misuse of wsgiref.headers.Headers

Felix Gröbert report at bugs.python.org
Fri Mar 25 13:14:58 CET 2011

New submission from Felix Gröbert <groebert at google.com>:

As noted by security at python.org's response I'm filing this bug here.

In wsgiref.headers.Headers it is possible to include headers which
contain a newline (i.e. \n or \r) either through add_header or
__init__. It is not uncommon that developers provide web applications
to the public in which the HTTP response headers are not filtered for
newlines but are controlled by the user. In such scenarios a malicious
user can use a newline to inject another header or even initiate a
HTTP response body. The impact would be at least equivalent to XSS.
Therefore, I suggest to filter/warn/except header tuples which contain
the above characters upon assignment in wsgiref.headers.

components: Library (Lib)
messages: 132080
nosy: Felix.Gröbert
priority: normal
severity: normal
status: open
title: Potential misuse of wsgiref.headers.Headers
type: security
versions: Python 3.3

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list