This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pje
Recipients Felix.Gröbert, pje
Date 2011-03-25.18:41:27
SpamBayes Score 0.006404722
Marked as misclassified No
Message-id <1301078492.99.0.856467822453.issue11671@psf.upfronthosting.co.za>
In-reply-to
Content 
> It is not uncommon that developers provide web applications
to the public in which the HTTP response headers are not filtered for
newlines but are controlled by the user.

Really?  Which applications, and which response headers?

> Therefore, I suggest to filter/warn/except header tuples which contain
the above characters upon assignment in wsgiref.headers.

Applications that send them are not WSGI compliant anyway, since the spec forbids control characters in header strings -- and wsgiref.validate already validates this.

Still, I'm not aware of any legitimate use case for apps sending user input as an HTTP header where the data wouldn't already be escaped in some fashion -- cookies, URLs, ...?
History
Date User Action Args
2011-03-25 18:41:33pjesetrecipients: + pje, Felix.Gröbert
2011-03-25 18:41:32pjesetmessageid: <1301078492.99.0.856467822453.issue11671@psf.upfronthosting.co.za>
2011-03-25 18:41:27pjelinkissue11671 messages
2011-03-25 18:41:27pjecreate