From b1edcf8b09498fb61e2feb57969b6d63416dd662 Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Sat, 3 Jan 2026 22:01:03 +0100 Subject: [PATCH 1/7] gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules --- Doc/library/http.server.rst | 8 ++++++++ Doc/library/wsgiref.rst | 9 +++++++++ .../2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 58f09634f95e0f..9127975bcec081 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -287,6 +287,10 @@ instantiation, of which this module provides three different variants: specifying its value. Note that, after the send_header calls are done, :meth:`end_headers` MUST BE called in order to complete the operation. + This method does not reject input containing CRLF sequences allowing the + possibility of CRLF injection, where a single method call can inject + multiple arbitrary headers. + .. versionchanged:: 3.2 Headers are stored in an internal buffer. @@ -555,6 +559,10 @@ Security considerations requests, this makes it possible for files outside of the specified directory to be served. +The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input +and does not perform input validation such as checking for the presence of CRLF +sequences. Untrusted input may result in CRLF injection attacks. + Earlier versions of Python did not scrub control characters from the log messages emitted to stderr from ``python -m http.server`` or the default :class:`BaseHTTPRequestHandler` ``.log_message`` diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst index 381c993834753d..57ff1a9f4a7932 100644 --- a/Doc/library/wsgiref.rst +++ b/Doc/library/wsgiref.rst @@ -263,6 +263,9 @@ manipulation of WSGI response headers using a mapping-like interface. Content-Disposition: attachment; filename="bud.gif" + This method does not reject input containing CRLF sequences allowing the + possibility of CRLF injection, where a single method call can inject + multiple arbitrary headers. .. versionchanged:: 3.5 *headers* parameter is optional. @@ -896,4 +899,10 @@ directory and port number (default: 8000) on the command line:: print("Shutting down.") httpd.server_close() +Security considerations +----------------------- +The :class:`wsgiref.headers.Headers` class assumes sanitized input for header +names and values and does not perform input validation such as checking for the +presence of CRLF sequences. Untrusted input may result in CRLF injection +attacks. diff --git a/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst b/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst new file mode 100644 index 00000000000000..3686e15820ee94 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst @@ -0,0 +1,2 @@ +Document CRLF injection vulnerability in :mod:`http.server` and +:mod:`wsgiref` modules. From 39c5198e3e3e456492fc53ffc00486cbd8b818c7 Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Sun, 4 Jan 2026 07:53:25 +0100 Subject: [PATCH 2/7] gh-142533: Remove reduntant NEWS entry --- .../2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst diff --git a/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst b/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst deleted file mode 100644 index 3686e15820ee94..00000000000000 --- a/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst +++ /dev/null @@ -1,2 +0,0 @@ -Document CRLF injection vulnerability in :mod:`http.server` and -:mod:`wsgiref` modules. From 2751d9bb67a208128190ec94f228aeccae0fcf2e Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Sun, 4 Jan 2026 16:24:58 +0100 Subject: [PATCH 3/7] gh-142533: Ensure CRLF is mentioned in the security consideration section only --- Doc/library/http.server.rst | 4 +--- Doc/library/wsgiref.rst | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 9127975bcec081..f53d8af2d0db91 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -287,9 +287,7 @@ instantiation, of which this module provides three different variants: specifying its value. Note that, after the send_header calls are done, :meth:`end_headers` MUST BE called in order to complete the operation. - This method does not reject input containing CRLF sequences allowing the - possibility of CRLF injection, where a single method call can inject - multiple arbitrary headers. + This method does not reject input containing CRLF sequences. .. versionchanged:: 3.2 Headers are stored in an internal buffer. diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst index 57ff1a9f4a7932..df5e385793ad20 100644 --- a/Doc/library/wsgiref.rst +++ b/Doc/library/wsgiref.rst @@ -263,9 +263,7 @@ manipulation of WSGI response headers using a mapping-like interface. Content-Disposition: attachment; filename="bud.gif" - This method does not reject input containing CRLF sequences allowing the - possibility of CRLF injection, where a single method call can inject - multiple arbitrary headers. + This method does not reject input containing CRLF sequences. .. versionchanged:: 3.5 *headers* parameter is optional. From d88da640336d53a270731b0a5ee23861136106e9 Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Sun, 4 Jan 2026 17:25:35 +0100 Subject: [PATCH 4/7] gh-142533: Added label and spacing --- Doc/library/wsgiref.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst index df5e385793ad20..7705e82f02967b 100644 --- a/Doc/library/wsgiref.rst +++ b/Doc/library/wsgiref.rst @@ -897,6 +897,9 @@ directory and port number (default: 8000) on the command line:: print("Shutting down.") httpd.server_close() + +.. _wsgiref-security: + Security considerations ----------------------- From 0be4e582a5cd77df9d3491f61f44f46c1afeaf6d Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Wed, 1 Apr 2026 23:13:30 +0200 Subject: [PATCH 5/7] gh-142533: Remove vulnerability warnings from wsgiref module documentation since the issue was recently fixed --- Doc/library/wsgiref.rst | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst index 1310bbc828ed5d..2af54dc2a7e632 100644 --- a/Doc/library/wsgiref.rst +++ b/Doc/library/wsgiref.rst @@ -265,7 +265,6 @@ manipulation of WSGI response headers using a mapping-like interface. Content-Disposition: attachment; filename="bud.gif" - This method does not reject input containing CRLF sequences. .. versionchanged:: 3.5 *headers* parameter is optional. @@ -900,12 +899,3 @@ directory and port number (default: 8000) on the command line:: httpd.server_close() -.. _wsgiref-security: - -Security considerations ------------------------ - -The :class:`wsgiref.headers.Headers` class assumes sanitized input for header -names and values and does not perform input validation such as checking for the -presence of CRLF sequences. Untrusted input may result in CRLF injection -attacks. From 3f8dd053970c0d6e81496cf99298f8785562e552 Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Thu, 2 Apr 2026 21:24:24 +0200 Subject: [PATCH 6/7] Accept commit suggestion reg. http header reference Co-authored-by: Victor Stinner --- Doc/library/http.server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 078e06820e015f..35aa96c66c844e 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -559,7 +559,7 @@ to be served. The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input and does not perform input validation such as checking for the presence of CRLF -sequences. Untrusted input may result in CRLF injection attacks. +sequences. Untrusted input may result in HTTP Header injection attacks. Earlier versions of Python did not scrub control characters from the log messages emitted to stderr from ``python -m http.server`` or the From eb4fbfb6abba77dc7366ab45826d44b099bc0b4a Mon Sep 17 00:00:00 2001 From: Tadej Magajna Date: Thu, 2 Apr 2026 21:39:01 +0200 Subject: [PATCH 7/7] gh-142533: Document CRLF vulnerability also for send_response_only --- Doc/library/http.server.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst index 35aa96c66c844e..cb8b5f0df88d6c 100644 --- a/Doc/library/http.server.rst +++ b/Doc/library/http.server.rst @@ -299,6 +299,8 @@ instantiation, of which this module provides three different variants: buffered and sent directly the output stream.If the *message* is not specified, the HTTP message corresponding the response *code* is sent. + This method does not reject *message* containing CRLF sequences. + .. versionadded:: 3.2 .. method:: end_headers() @@ -557,7 +559,8 @@ Security considerations requests, this makes it possible for files outside of the specified directory to be served. -The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input +Methods :meth:`BaseHTTPRequestHandler.send_header` and +:meth:`BaseHTTPRequestHandler.send_response_only` assume sanitized input and does not perform input validation such as checking for the presence of CRLF sequences. Untrusted input may result in HTTP Header injection attacks.