New submission from Felix Gröbert <groeb...@google.com>: As noted by secur...@python.org's response I'm filing this bug here.
In wsgiref.headers.Headers it is possible to include headers which contain a newline (i.e. \n or \r) either through add_header or __init__. It is not uncommon that developers provide web applications to the public in which the HTTP response headers are not filtered for newlines but are controlled by the user. In such scenarios a malicious user can use a newline to inject another header or even initiate a HTTP response body. The impact would be at least equivalent to XSS. Therefore, I suggest to filter/warn/except header tuples which contain the above characters upon assignment in wsgiref.headers. ---------- components: Library (Lib) messages: 132080 nosy: Felix.Gröbert priority: normal severity: normal status: open title: Potential misuse of wsgiref.headers.Headers type: security versions: Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11671> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
