HTTP Response Splitting #117

bertjwregeer opened this Issue Oct 7, 2015 · 3 comments


None yet

1 participant


If for some reason an application returns a header dictionary that contains a header that has \r\n in it:

    ('Location', '\r\nX-Test: false')

This will then on get sent directly to the user, which would mean the end user sees the following:

X-Test: false

Which is bad (tm).


See: Pylons/webob#217 where this was reported for WebOb and I don't believe that is the correct location to fix this.


Currently waitress is not PEP3333 compliant:

Servers should check for errors in the headers at the time start_response is called, so that an error can be raised while the application is still running.

We should do a check to make sure that the header value does not contain illegal characters (control characters in this case).

@bertjwregeer bertjwregeer self-assigned this Dec 29, 2015

We should be doing this, like mod_wsgi: Pylons/webob#217 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment