Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible HTTP Response Splitting Vulnerability #217

liquidworm opened this issue Oct 7, 2015 · 2 comments

Possible HTTP Response Splitting Vulnerability #217

liquidworm opened this issue Oct 7, 2015 · 2 comments


Copy link


Please review the published advisory, probably it's in the API WebOb which is not documented here:

Probably there are other WebOb applications with similar issues.

Here is the advisory:


Copy link

Okay, so some sample code to make this a little more clear:

def test_HTTPMove_location_newlines():
    def start_response(status, headers, exc_info=None):
    environ = {
       'wsgi.url_scheme': 'HTTP',
       'SERVER_NAME': 'localhost',
       'SERVER_PORT': '80',
       'PATH_INFO': '/',
    m = webob_exc._HTTPMove(location='\r\nX-Test: false')
    m( environ, start_response )

The data that is printed is:

    ('Content-Type', 'text/html; charset=UTF-8'),
    ('Content-Length', '0'),
    ('Location', '\r\nX-Test: false')

This is passed off to start_response(), which is generally provided by a WSGI compatible server. I don't believe it's WebOb's responsibility to sanitize header information being sent to the WSGI server.

Copy link

FWIW. Apache/mod_wsgi should raise a ValueError exception out of start_response() if given a header value with embedded \r or \n.

Many other WSGI servers, if not perhaps all of them, don't bother with such validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

3 participants