HTTP Response Splitting #117

Closed
bertjwregeer opened this Issue Oct 7, 2015 · 3 comments

Projects

None yet

1 participant

@bertjwregeer
Member

If for some reason an application returns a header dictionary that contains a header that has \r\n in it:

[
    ('Location', 'http://example.com\r\nX-Test: false')
]

This will then on https://github.com/Pylons/waitress/blob/master/waitress/task.py#L260 get sent directly to the user, which would mean the end user sees the following:

Location: http://example.com/
X-Test: false

Which is bad (tm).

@bertjwregeer
Member

See: Pylons/webob#217 where this was reported for WebOb and I don't believe that is the correct location to fix this.

@bertjwregeer
Member

Currently waitress is not PEP3333 compliant:

Servers should check for errors in the headers at the time start_response is called, so that an error can be raised while the application is still running.

We should do a check to make sure that the header value does not contain illegal characters (control characters in this case).

@bertjwregeer bertjwregeer self-assigned this Dec 29, 2015
@bertjwregeer
Member

We should be doing this, like mod_wsgi: Pylons/webob#217 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment