Felix Gröbert added the comment:
If the spec forbids control characters in headers, the module should
enforce that.
The most frequent example of header injection is the redirect-case: an
application is forwarding using the Location header to a user-supplied
URL.
http://google.com/codesearch
New submission from Felix Gröbert :
As noted by secur...@python.org's response I'm filing this bug here.
In wsgiref.headers.Headers it is possible to include headers which
contain a newline (i.e. \n or \r) either through add_header or
__init__. It is not uncommon that developers p
