Skip to content

gh-142533: Prevent CRLF injection in HTTP headers #142605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tadejmagajna wants to merge 4 commits into
base: main
Choose a base branch
from
+99 −14
Open

gh-142533: Prevent CRLF injection in HTTP headers #142605

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6d53fd6
gh-142533: Prevent CRLF injection in HTTP headers
tadejmagajna Dec 11, 2025
5e56689
gh-142533: Fix lint issues in news fragment
tadejmagajna Dec 11, 2025
6d661e8
Ensure CRLF check only performed on string headers
tadejmagajna Dec 11, 2025
2f0605a
gh-142533: Validate CRLF in send_response_only and add test
tadejmagajna Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
gh-142533: Validate CRLF in send_response_only and add test
  • Loading branch information
@tadejmagajna
tadejmagajna committed Dec 12, 2025
commit 2f0605aa2c909beca0a3f2bf79f59e4841fd107e
1 change: 1 addition & 0 deletions Lib/http/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -552,6 +552,7 @@ def send_response_only(self, code, message=None):
message = ''
if not hasattr(self, '_headers_buffer'):
self._headers_buffer = []
_validate_header_string(message)
self._headers_buffer.append(("%s %d %s\r\n" %
(self.protocol_version, code, message)).encode(
'latin-1', 'strict'))
Expand Down
13 changes: 13 additions & 0 deletions Lib/test/test_httpservers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1052,6 +1052,19 @@ def test_header_buffering_of_send_response_only(self):
handler.end_headers()
self.assertEqual(output.numWrites, 1)

def test_send_response_only_rejects_crlf_message(self):
input = BytesIO(b'GET / HTTP/1.1\r\n\r\n')
output = AuditableBytesIO()
handler = SocketlessRequestHandler()
handler.rfile = input
handler.wfile = output
handler.request_version = 'HTTP/1.1'

with self.assertRaises(ValueError) as ctx:
handler.send_response_only(418, 'value\r\nSet-Cookie: custom=true')
self.assertIn('Invalid header name/value: contains CR or LF',
str(ctx.exception))

def test_header_buffering_of_send_header(self):

input = BytesIO(b'GET / HTTP/1.1\r\n\r\n')
Expand Down
Loading