Message132132
> It is not uncommon that developers provide web applications
to the public in which the HTTP response headers are not filtered for
newlines but are controlled by the user.
Really? Which applications, and which response headers?
> Therefore, I suggest to filter/warn/except header tuples which contain
the above characters upon assignment in wsgiref.headers.
Applications that send them are not WSGI compliant anyway, since the spec forbids control characters in header strings -- and wsgiref.validate already validates this.
Still, I'm not aware of any legitimate use case for apps sending user input as an HTTP header where the data wouldn't already be escaped in some fashion -- cookies, URLs, ...? |
|
Date |
User |
Action |
Args |
2011-03-25 18:41:33 | pje | set | recipients:
+ pje, Felix.Gröbert |
2011-03-25 18:41:32 | pje | set | messageid: <1301078492.99.0.856467822453.issue11671@psf.upfronthosting.co.za> |
2011-03-25 18:41:27 | pje | link | issue11671 messages |
2011-03-25 18:41:27 | pje | create | |
|