Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add extra security checks for Headers #229

merged 2 commits into from Jan 3, 2016


Copy link

@bertjwregeer bertjwregeer commented Jan 3, 2016

This adds a sort of seatbelt that makes sure that applications using WebOb are less likely to be vulnerable to HTTP response splitting. Unfortunately due to the flexibility of WebOb it is difficult to guarantee that you can't add a header that is vulnerable, but this adds one more line of defense.

Closes #217

bertjwregeer added 2 commits Jan 3, 2016
We want to provide some extra seatbelts for security reasons. HTTP
Response Splitting is on the OWASP list after all. This should not cause
any issues for existing applications that are well behaved, only if
untrusted user input is used would this be an issue. However it is hard
to argue against extra safety nets.
bertjwregeer added a commit that referenced this pull request Jan 3, 2016
Add extra security checks for HTTP Headers

Avoid HTTP Response Splitting.
@bertjwregeer bertjwregeer merged commit 97041f5 into master Jan 3, 2016
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed
@bertjwregeer bertjwregeer added this to the Version 1.6 milestone Jan 3, 2016
@bertjwregeer bertjwregeer deleted the feature/header_seatbelt branch Jan 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant