New submission from RAUSHAN RAJ: https://www.owasp.org/index.php/CRLF_Injection
Issue is in wsgiref.headers – WSGI response header tools This module provides a single class, Headers, for convenient manipulation of WSGI response headers using a mapping-like interface. class wsgiref.headers.Headers(headers) Example: import wsgiref.headers as hd h=hd.Headers([]) h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain') h Headers([(' Content-type\nset-cook:5', 'text/plain')]) str(h) ' Content-type\nset-cook:5: text/plain\r\n\r\n' Response in Browser looks like this: Inline image 1 An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. Also, No whitespace is allowed between the header field-name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject any received request message that contains whitespace between a header field-name and colon with a response code of 400 (Bad Request). A proxy MUST remove any such whitespace from a response message before forwarding the message downstream. But add_header function allow whitespaces also. Tested for python 2.7.9 and python 3.5.1 For reference , it is related to (In this case request header injection is possible) https://bugs.python.org/issue22928 http://bugs.python.org/issue17322 ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28778> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com