Skip to content

gh-144370: Disallow usage of control characters in header names, values and statuses in Lib/wsgiref/handlers.py for security #144371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
benediktjohannes wants to merge 39 commits into
base: main
Choose a base branch
from
+19 −5
Open

gh-144370: Disallow usage of control characters in header names, values and statuses in Lib/wsgiref/handlers.py for security #144371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
3b0169b
Disallow usage of control characters in status, headers and values fo…
benediktjohannes Jan 31, 2026
9414df2
Add missing import of "re"
benediktjohannes Jan 31, 2026
49ddbca
📜🤖 Added by blurb_it.
blurb-it[bot] Jan 31, 2026
5dd863b
Update Lib/wsgiref/handlers.py
benediktjohannes Feb 4, 2026
3daaa72
Update Lib/wsgiref/handlers.py
benediktjohannes Feb 4, 2026
8b149df
Update handlers.py
benediktjohannes Feb 4, 2026
010fd50
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
8c9a691
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
f301791
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
e3b78a0
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
24cfb00
Test whether if statement is reachable
benediktjohannes Feb 4, 2026
75a89b8
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
e322666
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
d731520
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
c039ef2
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
edb54a2
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
b491245
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
379937e
Update test_wsgiref.py
benediktjohannes Feb 4, 2026
db12d86
Use more strict name=True for status because it shouldn't IMO include…
benediktjohannes Feb 4, 2026
f206bf3
Change it back at first to see if test passes (and then change it bac…
benediktjohannes Feb 4, 2026
b899f69
Test if assertRaise raises an error that there is a mistake if no err…
benediktjohannes Feb 6, 2026
2d1b890
this is just a temporary check as described above
benediktjohannes Feb 6, 2026
df5cfdf
Change this back
benediktjohannes Feb 6, 2026
fb527db
Update handlers.py
benediktjohannes Feb 6, 2026
e84de9a
Remove this because I use the more strict one for status without the …
benediktjohannes Feb 6, 2026
95701e4
Remove f"keys"
benediktjohannes Feb 6, 2026
82d7f7a
Add string again without keys
benediktjohannes Feb 6, 2026
76d011e
Update handlers.py
benediktjohannes Feb 6, 2026
5a4448b
Update handlers.py
benediktjohannes Feb 6, 2026
ecff2b9
Update 2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
benediktjohannes Feb 6, 2026
eaa3d98
Merge branch 'python:main' into patch-4
benediktjohannes Feb 12, 2026
8dc51e7
Use regexes out of headers
benediktjohannes Feb 12, 2026
aec77f0
Remove unused regexes
benediktjohannes Feb 12, 2026
c7b66c4
Update Lib/wsgiref/handlers.py
benediktjohannes Feb 13, 2026
e763355
Update Misc/NEWS.d/next/Security/2026-01-31-21-56-54.gh-issue-144370.…
benediktjohannes Feb 13, 2026
4975676
Change this to injections because it's not only header injection, but…
benediktjohannes Feb 13, 2026
ab34b36
Update 2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
benediktjohannes Feb 13, 2026
f0a59ef
Update 2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
benediktjohannes Feb 13, 2026
e369b59
Added Seth Michael Larson to ACKS
benediktjohannes Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Lib/test/test_wsgiref.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -855,6 +855,13 @@ def write(self, b):
self.assertIsNotNone(h.status)
self.assertIsNotNone(h.environ)

def testRaisesControlCharacters(self):
for c0 in control_characters_c0():
with self.subTest(c0):
base = BaseHandler()
headers = [('x','y')]
self.assertRaises(ValueError, base.start_response, f"{c0}", headers)
Copy link
Member

@vstinner vstinner Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add tests on header keys and header names.

Copy link
Member

@vstinner vstinner Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ignore my comment if you implement my second comment on only checking status in Lib/wsgiref/handlers.py :-)



class TestModule(unittest.TestCase):
def test_deprecated__version__(self):
Expand Down
13 changes: 8 additions & 5 deletions Lib/wsgiref/handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
"""Base classes for server/gateway implementations"""

from .util import FileWrapper, guess_scheme, is_hop_by_hop
from .headers import Headers
from .headers import Headers, _name_disallowed_re, _value_disallowed_re

import sys, os, time

Expand Down Expand Up @@ -237,13 +237,13 @@ def start_response(self, status, headers,exc_info=None):

self.status = status
self.headers = self.headers_class(headers)
status = self._convert_string_type(status, "Status")
status = self._convert_string_type(status, "Status", name=True)
Copy link
Member

@vstinner vstinner Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to only check the status using a regex here to leave _convert_string_type() unchanged?

self._validate_status(status)

if __debug__:
for name, val in headers:
name = self._convert_string_type(name, "Header name")
val = self._convert_string_type(val, "Header value")
name = self._convert_string_type(name, "Header name", name=True)
val = self._convert_string_type(val, "Header value", name=False)
assert not is_hop_by_hop(name),\
f"Hop-by-hop header, '{name}: {val}', not allowed"

Expand All @@ -257,9 +257,12 @@ def _validate_status(self, status):
if status[3] != " ":
raise AssertionError("Status message must have a space after code")

def _convert_string_type(self, value, title):
def _convert_string_type(self, value, title, *, name):
"""Convert/check value type."""
if type(value) is str:
regex = (_name_disallowed_re if name else _value_disallowed_re)
if regex.search(value):
raise ValueError("Control characters not allowed in headers and status")
return value
raise AssertionError(
"{0} must be of type str (got {1})".format(title, repr(value))
Expand Down
1 change: 1 addition & 0 deletions Misc/ACKS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1078,6 +1078,7 @@ Wolfgang Langner
Detlef Lannert
Rémi Lapeyre
Soren Larsen
Seth Michael Larson
Amos Latteier
Keenan Lau
Piers Lauder
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Security/2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Disallow usage of control characters in headers and status
in :mod:`wsgiref.handlers` to prevent injections.
Patch by Benedikt Johannes.
Loading