New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add extra security checks for Headers #229

merged 2 commits into from Jan 3, 2016


None yet
1 participant
Copy link

bertjwregeer commented Jan 3, 2016

This adds a sort of seatbelt that makes sure that applications using WebOb are less likely to be vulnerable to HTTP response splitting. Unfortunately due to the flexibility of WebOb it is difficult to guarantee that you can't add a header that is vulnerable, but this adds one more line of defense.

Closes #217

bertjwregeer added some commits Jan 3, 2016

Headers may no longer contain control characters
We want to provide some extra seatbelts for security reasons. HTTP
Response Splitting is on the OWASP list after all. This should not cause
any issues for existing applications that are well behaved, only if
untrusted user input is used would this be an issue. However it is hard
to argue against extra safety nets.

bertjwregeer added a commit that referenced this pull request Jan 3, 2016

Merge pull request #229 from Pylons/feature/header_seatbelt
Add extra security checks for HTTP Headers

Avoid HTTP Response Splitting.

@bertjwregeer bertjwregeer merged commit 97041f5 into master Jan 3, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed

@bertjwregeer bertjwregeer added this to the Version 1.6 milestone Jan 3, 2016

@bertjwregeer bertjwregeer deleted the feature/header_seatbelt branch Jan 3, 2016

@bertjwregeer bertjwregeer removed the backport label Mar 16, 2016

@pyup-bot pyup-bot referenced this pull request Nov 3, 2017


Update webob to 1.7.3 #434

@pyup-bot pyup-bot referenced this pull request Jan 26, 2018


Update webob to 1.7.4 #407

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment