Phillip J. Eby <p...@telecommunity.com> added the comment: > It is not uncommon that developers provide web applications to the public in which the HTTP response headers are not filtered for newlines but are controlled by the user.
Really? Which applications, and which response headers? > Therefore, I suggest to filter/warn/except header tuples which contain the above characters upon assignment in wsgiref.headers. Applications that send them are not WSGI compliant anyway, since the spec forbids control characters in header strings -- and wsgiref.validate already validates this. Still, I'm not aware of any legitimate use case for apps sending user input as an HTTP header where the data wouldn't already be escaped in some fashion -- cookies, URLs, ...? ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11671> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
