New submission from RAUSHAN RAJ:
https://www.owasp.org/index.php/CRLF_Injection
Issue is in wsgiref.headers – WSGI response header tools
This module provides a single class, Headers, for convenient manipulation of
WSGI response headers using a mapping-like interface.
class wsgiref.headers.Headers(headers)
Example:
import wsgiref.headers as hd
h=hd.Headers([])
h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain')
h
Headers([(' Content-type\nset-cook:5', 'text/plain')])
str(h)
' Content-type\nset-cook:5: text/plain\r\n\r\n'
Response in Browser looks like this:
Inline image 1
An attacker could use this flaw to inject additional headers in a Python
application that allowed user provided header names or values.
Also,
No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.
But add_header function allow whitespaces also.
Tested for python 2.7.9 and python 3.5.1
For reference , it is related to (In this case request header injection is
possible)
https://bugs.python.org/issue22928
http://bugs.python.org/issue17322
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28778>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
