diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 58f09634f95e0f..f53d8af2d0db91 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -287,6 +287,8 @@ instantiation, of which this module provides three different variants: specifying its value. Note that, after the send_header calls are done, :meth:`end_headers` MUST BE called in order to complete the operation. + This method does not reject input containing CRLF sequences. + .. versionchanged:: 3.2 Headers are stored in an internal buffer. @@ -555,6 +557,10 @@ Security considerations requests, this makes it possible for files outside of the specified directory to be served. +The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input +and does not perform input validation such as checking for the presence of CRLF +sequences. Untrusted input may result in CRLF injection attacks. + Earlier versions of Python did not scrub control characters from the log messages emitted to stderr from ``python -m http.server`` or the default :class:`BaseHTTPRequestHandler` ``.log_message`` diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst index 381c993834753d..7705e82f02967b 100644 --- a/Doc/library/wsgiref.rst +++ b/Doc/library/wsgiref.rst @@ -263,6 +263,7 @@ manipulation of WSGI response headers using a mapping-like interface. Content-Disposition: attachment; filename="bud.gif" + This method does not reject input containing CRLF sequences. .. versionchanged:: 3.5 *headers* parameter is optional. @@ -897,3 +898,12 @@ directory and port number (default: 8000) on the command line:: httpd.server_close() +.. _wsgiref-security: + +Security considerations +----------------------- + +The :class:`wsgiref.headers.Headers` class assumes sanitized input for header +names and values and does not perform input validation such as checking for the +presence of CRLF sequences. Untrusted input may result in CRLF injection +attacks.