[Web-SIG] Newline values in WSGI response header values.

Graham Dumpleton graham.dumpleton at gmail.com
Thu Jun 12 10:02:38 CEST 2008

Can anyone confirm for me what the behaviour should be if someone
includes a newline in the value of a WSGI response header?

CGI specification would seem to disallow it and thus WSGI adapter
should by rights possibly produce an error if user code does it.

At the moment I know of no WSGI adapter implementation which validates
whether a newline appears in the value of a WSGI response header. For
many WSGI adapters this means that a header of:

  Key1: "Value1\r\nKey2: Value2"

will actually translate into two separate headers being sent back to client.

For a header of:

  Key3: "Value3a\r\nValue3b"

in a WSGI adapter which simply passes things through, the client would
get an invalid header line, which in general it would ignore. If
however this was generated when hosted with a CGI-WSGI adapter, for
Apache at least, Apache would generate a 500 error itself due to
detected a header line of invalid format.

Thus, is an embedded newline in value invalid? Would it be reasonable
for a WSGI adapter to flag it as an error?



More information about the Web-SIG mailing list