diff -ur Python-3.6.0/Lib/http/server.py Python-3.6.0-PATCHED/Lib/http/server.py
--- Python-3.6.0/Lib/http/server.py	2016-12-22 21:21:19.000000000 -0500
+++ Python-3.6.0-PATCHED/Lib/http/server.py	2017-01-19 20:16:58.000000000 -0500
@@ -495,8 +495,9 @@
                     message = ''
             if not hasattr(self, '_headers_buffer'):
                 self._headers_buffer = []
+            safe_message = message.translate({ord(c): None for c in "\r\n"})
             self._headers_buffer.append(("%s %d %s\r\n" %
-                    (self.protocol_version, code, message)).encode(
+                    (self.protocol_version, code, safe_message)).encode(
                         'latin-1', 'strict'))
 
     def send_header(self, keyword, value):
@@ -504,8 +505,10 @@
         if self.request_version != 'HTTP/0.9':
             if not hasattr(self, '_headers_buffer'):
                 self._headers_buffer = []
+            safe_keyword = keyword.translate({ord(c): None for c in " \r\n:"})
+            safe_value = value.replace("\r\n", ' ')
             self._headers_buffer.append(
-                ("%s: %s\r\n" % (keyword, value)).encode('latin-1', 'strict'))
+                ("%s: %s\r\n" % (safe_keyword, safe_value)).encode('latin-1', 'strict'))
 
         if keyword.lower() == 'connection':
             if value.lower() == 'close':