Add extra security checks for Headers #229

merged 2 commits into from Jan 3, 2016


None yet

1 participant


This adds a sort of seatbelt that makes sure that applications using WebOb are less likely to be vulnerable to HTTP response splitting. Unfortunately due to the flexibility of WebOb it is difficult to guarantee that you can't add a header that is vulnerable, but this adds one more line of defense.

Closes #217

bertjwregeer added some commits Jan 3, 2016
@bertjwregeer bertjwregeer Add tests with invalid header values 07a3fd0
@bertjwregeer bertjwregeer Headers may no longer contain control characters
We want to provide some extra seatbelts for security reasons. HTTP
Response Splitting is on the OWASP list after all. This should not cause
any issues for existing applications that are well behaved, only if
untrusted user input is used would this be an issue. However it is hard
to argue against extra safety nets.
@bertjwregeer bertjwregeer merged commit 97041f5 into master Jan 3, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed
@bertjwregeer bertjwregeer added this to the Version 1.6 milestone Jan 3, 2016
@bertjwregeer bertjwregeer deleted the feature/header_seatbelt branch Jan 3, 2016
@bertjwregeer bertjwregeer removed the backport label Mar 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment