classification
Title: Use \r\n, not \n for HTTP headers
Type: Stage:
Components: Library (Lib) Versions: Python 3.0, Python 2.6, Python 2.5
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: ajaksu2, georg.brandl, gpolo, hiawatha, pitrou
Priority: low Keywords: easy

Created on 2006-11-15 14:01 by hiawatha, last changed 2009-03-14 01:27 by pitrou. This issue is now closed.

Messages (6)
msg61034 - (view) Author: Hugo Leisink (hiawatha) Date: 2006-11-15 14:01
A HTTP headerline must end with CRLF (\r\n) instead of only LF (\n). Python only uses the LF to end a HTTP headerline (cgitb.enable() for example). Also, in many Python documents, only LF is being used.

For more information about this issue, see the HTTP RFC (2616), section 6 (Response).

Hugo Leisink (hugo@leisink.net)
msg61035 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2006-11-15 17:32
Do you want to work on a patch for that?
msg61348 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2008-01-20 19:33
Lowering priority.
msg62140 - (view) Author: Guilherme Polo (gpolo) * (Python committer) Date: 2008-02-07 11:12
cgitb just creates a html document with a traceback, it doesn't send it
over network. I would like to take a look at this, but before it would
be good to know if the author of this bug found some other place that
this issue applies.
msg62762 - (view) Author: Daniel Diniz (ajaksu2) (Python triager) Date: 2008-02-23 16:12
he specific issue mentioned might arise from UAs interpreting the
snippet as a header, but the whole thing is so oblivious to standards
that it doesn't matter: 

 def reset():
    """Return a string that resets the CGI and browser to a known state."""
    return '''<!--: spam
Content-Type: text/html

<body bgcolor="#f0f0f8"><font color="#f0f0f8" size="-5"> -->
<body bgcolor="#f0f0f8"><font color="#f0f0f8" size="-5"> --> -->
</font> </font> </font> </script> </object> </blockquote> </pre>
</table> </table> </table> </table> </table> </font> </font> </font>'''


In a search over the stdlib, there are many hits for, e.g., "print
'Content-Type:','X'", but most (if not all) of these are printing to
stdout and also sending the headers correctly terminated over the network.

Other instances are due to local handling of files (like in
urllib2.FTPHandler.ftp_open), and in these we could change the explicit
"\n" to "\r\n", but there would be no gain IMHO.

I suggest closing this bug (at least until concrete examples of sending
non-CRLF terminated headers are provided).
msg83562 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2009-03-14 01:27
Closing as suggested one year ago.
History
Date User Action Args
2009-03-14 01:27:30pitrousetstatus: open -> closed

nosy: + pitrou
messages: + msg83562

resolution: not a bug
2008-02-23 16:12:37ajaksu2setnosy: + ajaksu2
messages: + msg62762
2008-02-07 11:12:31gpolosetnosy: + gpolo
messages: + msg62140
2008-01-20 19:46:13georg.brandlsettitle: HTTP headers -> Use \r\n, not \n for HTTP headers
2008-01-20 19:33:18georg.brandlsetversions: + Python 2.6, Python 2.5, Python 3.0
nosy: + georg.brandl, - gbrandl.historic
messages: + msg61348
priority: normal -> low
components: + Library (Lib), - None
keywords: + easy
2006-11-15 14:01:58hiawathacreate