-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Response Splitting #117
Comments
See: Pylons/webob#217 where this was reported for WebOb and I don't believe that is the correct location to fix this. |
Currently waitress is not PEP3333 compliant:
We should do a check to make sure that the header value does not contain illegal characters (control characters in this case). |
We should be doing this, like mod_wsgi: Pylons/webob#217 (comment) |
If for some reason an application returns a
header
dictionary that contains a header that has\r\n
in it:This will then on https://github.com/Pylons/waitress/blob/master/waitress/task.py#L260 get sent directly to the user, which would mean the end user sees the following:
Which is bad (tm).
The text was updated successfully, but these errors were encountered: