[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[Ashwin Ramaswami]

Change by Ashwin Ramaswami :


--
keywords: +patch
pull_requests: +15024
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/15299

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[Ashwin Ramaswami]

Change by Ashwin Ramaswami :


--
versions: +Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[Ashwin Ramaswami]

Change by Ashwin Ramaswami :


--
nosy: +epicfaace
versions: +Python 3.9 -Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[Terry J. Reedy]

Change by Terry J. Reedy :


--
versions:  -Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[Martin Panter]

Martin Panter  added the comment:

Issue 11671 is closely related and has a patch proposing to ban control 
characters including CRLF (but not spaces).

Also see Issue 22928 which added header field validation to the HTTP client 
module.

--
dependencies: +Security hole in wsgiref.headers.Headers
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[RAUSHAN RAJ]

New submission from RAUSHAN RAJ:

https://www.owasp.org/index.php/CRLF_Injection

Issue is in wsgiref.headers – WSGI response header tools 
This module provides a single class, Headers, for convenient manipulation of 
WSGI response headers using a mapping-like interface.
class wsgiref.headers.Headers(headers)

Example:
import wsgiref.headers as hd
h=hd.Headers([])
h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain')
h
Headers([(' Content-type\nset-cook:5', 'text/plain')])
str(h)
' Content-type\nset-cook:5: text/plain\r\n\r\n'

Response in Browser looks like this:

Inline image 1
An attacker could use this flaw to inject additional headers in a Python 
application that allowed user provided header names or values.

Also,
No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.

But add_header function allow whitespaces also.

Tested for python 2.7.9 and python 3.5.1

For reference , it is related to (In this case request header injection is 
possible)
https://bugs.python.org/issue22928
http://bugs.python.org/issue17322

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28778] wsgiref HTTP Response Header Injection: CRLF Injection

[RAUSHAN RAJ]

Changes by RAUSHAN RAJ :


--
components: Library (Lib)
nosy: RAUSHAN RAJ
priority: normal
severity: normal
status: open
title: wsgiref HTTP Response Header Injection: CRLF Injection
type: security
versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com