#37100: Prevent header injection through malformed response reason phrase
-----------------------------+-----------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: HTTP handling
Version: dev | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
`HttpResponse.reason_phrase` is not correctly sanitized when creating a
response body:
{{{#!python
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
}}}
This results in an extra header in the response, which is not present in
`.headers`.
The [https://peps.python.org/pep-0333/#the-start-response-callable WSGI
spec] requires that the status line (which contains the reason phrase)
must not contain whitespace or other control characters. Therefore, Django
should sanitize the input.
----
This was previously reported to the Security Team by rasputinkaiser,
however as reason phase is never intended to be user-controlled, it was
not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019e2b9b9c5d-0187e629-4fd6-4c11-b2af-3bf5c2529c45-000000%40eu-central-1.amazonses.com.
