Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
HTTP Response Splitting - Status/Header Names #122
#117 was about HTTP response splitting in header values. Should this also cover the status line and the header names? The same thing can happen with those.
All of these examples are on waitress 0.9.0b0:
Here's an app that uses a bad status line:
def app(environ, start_response): start_response("200 Evil\r\nContent-Length: 0\r\nConnection: close\r\n\r\n", ) return [b"This should be the body!"]
And the output of connecting to it:
And here's one that uses a bad header name:
def app(environ, start_response): start_response("200 BadName", [("\r\n", "Content-length: 0")]) return [b"This should be the body!"]
And its output, which hangs the client until a timeout, leaving a dangling socket:
I realize that HTTP status messages and header names are probably less likely to allow user input than header values, but if they do, bad things can still happen.
Nope, mod_wsgi has:
so it should be validating the status line and rejecting he presence of any control characters.
I should check that works. :-)