Skip to content

gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules #143395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vstinner merged 8 commits into from
Apr 2, 2026
Merged

gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules #143395

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b1edcf8
gh-142533: Document CRLF injection vulnerability in http.server and w…
tadejmagajna Jan 3, 2026
39c5198
gh-142533: Remove reduntant NEWS entry
tadejmagajna Jan 4, 2026
2751d9b
gh-142533: Ensure CRLF is mentioned in the security consideration sec…
tadejmagajna Jan 4, 2026
d88da64
gh-142533: Added label and spacing
tadejmagajna Jan 4, 2026
57ff6a9
Merge branch 'main' into gh-142533-document-server-header-vulnerability
tadejmagajna Apr 1, 2026
0be4e58
gh-142533: Remove vulnerability warnings from wsgiref module document…
tadejmagajna Apr 1, 2026
3f8dd05
Accept commit suggestion reg. http header reference
tadejmagajna Apr 2, 2026
eb4fbfb
gh-142533: Document CRLF vulnerability also for send_response_only
tadejmagajna Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Doc/library/http.server.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,10 @@ instantiation, of which this module provides three different variants:
specifying its value. Note that, after the send_header calls are done,
:meth:`end_headers` MUST BE called in order to complete the operation.

This method does not reject input containing CRLF sequences allowing the
possibility of CRLF injection, where a single method call can inject
multiple arbitrary headers.
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This method does not reject input containing CRLF sequences allowing the
possibility of CRLF injection, where a single method call can inject
multiple arbitrary headers.
This method does not reject input containing CRLF sequences.

Only mention the possibility of CRLF injection in the security consideration section.

Copy link
Copy Markdown
Contributor Author

@tadejmagajna tadejmagajna Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the suggestion. Addressed for both modules


.. versionchanged:: 3.2
Headers are stored in an internal buffer.

Expand Down Expand Up @@ -555,6 +559,10 @@ Security considerations
requests, this makes it possible for files outside of the specified directory
to be served.

The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input
Copy link
Copy Markdown
Member

@vstinner vstinner Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and send_response_only()

and does not perform input validation such as checking for the presence of CRLF
sequences. Untrusted input may result in CRLF injection attacks.

Earlier versions of Python did not scrub control characters from the
log messages emitted to stderr from ``python -m http.server`` or the
default :class:`BaseHTTPRequestHandler` ``.log_message``
Expand Down
9 changes: 9 additions & 0 deletions Doc/library/wsgiref.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,9 @@ manipulation of WSGI response headers using a mapping-like interface.

Content-Disposition: attachment; filename="bud.gif"

This method does not reject input containing CRLF sequences allowing the
possibility of CRLF injection, where a single method call can inject
multiple arbitrary headers.
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.


.. versionchanged:: 3.5
*headers* parameter is optional.
Expand Down Expand Up @@ -896,4 +899,10 @@ directory and port number (default: 8000) on the command line::
print("Shutting down.")
httpd.server_close()

Security considerations
-----------------------
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please format this the same as we did for Http.server, that is: add a label and enough blank lines.


The :class:`wsgiref.headers.Headers` class assumes sanitized input for header
names and values and does not perform input validation such as checking for the
presence of CRLF sequences. Untrusted input may result in CRLF injection
attacks.
Loading