This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new bd420896 Validate no CR/LF in http header values
bd420896 is described below
commit bd4208964e7b897bb54369dfbe0fb14b3cd1f593
Author: Dave Fisher <[email protected]>
AuthorDate: Tue Mar 3 10:35:41 2026 -0800
Validate no CR/LF in http header values
---
atr/web.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/atr/web.py b/atr/web.py
index 47bdd842..ce2a4656 100644
--- a/atr/web.py
+++ b/atr/web.py
@@ -245,6 +245,8 @@ class HeaderValue:
raise ValueError(f"Header value cannot contain double quotes:
{text}")
if "\x00" in text:
raise ValueError(f"Header value cannot contain null bytes:
{text}")
+ if ("\r" in text) or ("\n" in text):
+ raise ValueError(f"Header value cannot contain CR/LF
characters: {text}")
headers = werkzeug.datastructures.headers.Headers()
headers.add("X-Header-Value", value, **kwargs)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
