HTTP Response Splitting - Status/Header Names #122

jamadden opened this Issue Mar 17, 2016 · 4 comments


None yet

3 participants


#117 was about HTTP response splitting in header values. Should this also cover the status line and the header names? The same thing can happen with those.

All of these examples are on waitress 0.9.0b0:

$ pip freeze | grep waitress

Here's an app that uses a bad status line:

def app(environ, start_response):
    start_response("200 Evil\r\nContent-Length: 0\r\nConnection: close\r\n\r\n", [])
    return [b"This should be the body!"]

And the output of connecting to it:

$ http
HTTP/1.1 200 Evil
Connection: close
Content-Length: 0


And here's one that uses a bad header name:

def app(environ, start_response):
    start_response("200 BadName",
                   [("\r\n", "Content-length: 0")])
    return [b"This should be the body!"]

And its output, which hangs the client until a timeout, leaving a dangling socket:

$ http
HTTP/1.1 200 BadName

http: error: ConnectionError: HTTPConnectionPool(host='', port=8080): Read timed out.

I realize that HTTP status messages and header names are probably less likely to allow user input than header values, but if they do, bad things can still happen.


I used mod_wsgi as a source of inspiration for where to add the check, but additional checks can and probably should be added. Thanks for this report, I will work on getting these fixed.

@bertjwregeer bertjwregeer added this to the 0.9.0 milestone Mar 18, 2016

I think PR #124 should cover it.


For the status line, mod_wsgi is probably relying on Apache rejecting it. If Apache isn't failing it in some way I should add a check. There should already be checks in mod_wsgi for HTTP header names and values.


Nope, mod_wsgi has:

so it should be validating the status line and rejecting he presence of any control characters.

I should check that works. :-)

@pyup-vuln-bot pyup-vuln-bot referenced this issue in pyupio/safety-db Dec 27, 2016

Changelog waitress version 0.9.0 #2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment