python · vstinner · Apr 2, 2026 · Jan 3, 2026 · Jan 4, 2026 · Jan 4, 2026
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
@@ -287,6 +287,8 @@ instantiation, of which this module provides three different variants:
       specifying its value. Note that, after the send_header calls are done,
       :meth:`end_headers` MUST BE called in order to complete the operation.
 
+      This method does not reject input containing CRLF sequences.
+
       .. versionchanged:: 3.2
          Headers are stored in an internal buffer.
 
@@ -555,6 +557,10 @@ Security considerations
 requests, this makes it possible for files outside of the specified directory
 to be served.
 
+The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input
+and does not perform input validation such as checking for the presence of CRLF
+sequences. Untrusted input may result in CRLF injection attacks.
+
 Earlier versions of Python did not scrub control characters from the
 log messages emitted to stderr from ``python -m http.server`` or the
 default :class:`BaseHTTPRequestHandler` ``.log_message``

diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst
@@ -263,6 +263,7 @@ manipulation of WSGI response headers using a mapping-like interface.
 
          Content-Disposition: attachment; filename="bud.gif"
 
+      This method does not reject input containing CRLF sequences.
 
    .. versionchanged:: 3.5
       *headers* parameter is optional.
@@ -897,3 +898,12 @@ directory and port number (default: 8000) on the command line::
             httpd.server_close()
 
 
+.. _wsgiref-security:
+
+Security considerations
+-----------------------
+
+The :class:`wsgiref.headers.Headers` class assumes sanitized input for header
+names and values and does not perform input validation such as checking for the
+presence of CRLF sequences. Untrusted input may result in CRLF injection
+attacks.