[Web-SIG] Newline values in WSGI response header values.
Alan Kennedy
pywebsig at xhaus.com
Thu Jun 12 11:06:42 CEST 2008
[Graham]
> Thus, is an embedded newline in value invalid? Would it be reasonable
> for a WSGI adapter to flag it as an error?
>From a security POV, it may be advisable for WSGI servers to *not*
allow newlines in HTTP response headers; newlines in response headers
may be the result of an application's failure to sanitise its inputs.
http://en.wikipedia.org/wiki/HTTP_response_splitting
Regards,
Alan.
More information about the Web-SIG
mailing list