Skip to content

gh-142533: Prevent CRLF injection in HTTP headers #142605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tadejmagajna wants to merge 4 commits into
base: main
Choose a base branch
from
Open

gh-142533: Prevent CRLF injection in HTTP headers #142605

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6d53fd6
gh-142533: Prevent CRLF injection in HTTP headers
tadejmagajna Dec 11, 2025
5e56689
gh-142533: Fix lint issues in news fragment
tadejmagajna Dec 11, 2025
6d661e8
Ensure CRLF check only performed on string headers
tadejmagajna Dec 11, 2025
2f0605a
gh-142533: Validate CRLF in send_response_only and add test
tadejmagajna Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Ensure CRLF check only performed on string headers
  • Loading branch information
@tadejmagajna
tadejmagajna committed Dec 11, 2025
commit 6d661e892d7969daca0a8e7e761cd91ddf69a962
2 changes: 1 addition & 1 deletion Lib/http/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@

def _validate_header_string(value):
"""Validate header values preventing CRLF injection."""
if '\r' in value or '\n' in value:
if isinstance(value, str) and ('\r' in value or '\n' in value):
raise ValueError('Invalid header name/value: contains CR or LF')

class HTTPServer(socketserver.TCPServer):
Expand Down
Loading