https://github.com/python/cpython/commit/dbba26dabee2b685539df0c0d9e06bc21c4d2c3a commit: dbba26dabee2b685539df0c0d9e06bc21c4d2c3a branch: 3.14 author: Miss Islington (bot) <[email protected]> committer: vstinner <[email protected]> date: 2026-04-02T21:32:48Z summary:
[3.14] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) (#148020) gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) (cherry picked from commit 617f4cc1c2605b86b4833450253c3599b61d6638) Co-authored-by: Tadej Magajna <[email protected]> Co-authored-by: Victor Stinner <[email protected]> files: M Doc/library/http.server.rst diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index b47da97d3f28e3..7705fa3f140845 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -287,6 +287,8 @@ instantiation, of which this module provides three different variants: specifying its value. Note that, after the send_header calls are done, :meth:`end_headers` MUST BE called in order to complete the operation. + This method does not reject input containing CRLF sequences. + .. versionchanged:: 3.2 Headers are stored in an internal buffer. @@ -297,6 +299,8 @@ instantiation, of which this module provides three different variants: buffered and sent directly the output stream.If the *message* is not specified, the HTTP message corresponding the response *code* is sent. + This method does not reject *message* containing CRLF sequences. + .. versionadded:: 3.2 .. method:: end_headers() @@ -622,6 +626,11 @@ Security considerations requests, this makes it possible for files outside of the specified directory to be served. +Methods :meth:`BaseHTTPRequestHandler.send_header` and +:meth:`BaseHTTPRequestHandler.send_response_only` assume sanitized input +and does not perform input validation such as checking for the presence of CRLF +sequences. Untrusted input may result in HTTP Header injection attacks. + Earlier versions of Python did not scrub control characters from the log messages emitted to stderr from ``python -m http.server`` or the default :class:`BaseHTTPRequestHandler` ``.log_message`` _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
