This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch check-crlf-in-headers in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit e3afe4241560b9950ce089645698ba7024721e36 Author: Dave Fisher <[email protected]> AuthorDate: Tue Mar 3 10:35:41 2026 -0800 Validate no CR/LF in http header values --- atr/web.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atr/web.py b/atr/web.py index 47bdd842..ce2a4656 100644 --- a/atr/web.py +++ b/atr/web.py @@ -245,6 +245,8 @@ class HeaderValue: raise ValueError(f"Header value cannot contain double quotes: {text}") if "\x00" in text: raise ValueError(f"Header value cannot contain null bytes: {text}") + if ("\r" in text) or ("\n" in text): + raise ValueError(f"Header value cannot contain CR/LF characters: {text}") headers = werkzeug.datastructures.headers.Headers() headers.add("X-Header-Value", value, **kwargs) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
