cpython icon indicating copy to clipboard operation
cpython copied to clipboard
Published 1 week ago verified publisher icon python

gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules

Open tadejmagajna opened this issue 2 weeks ago • 1 comments

This change documents the CRLF injection vulnerability for http headers in http.server and wsgiref modules.

Initial report in #142533 focused on http.server only, though further discussion suggested also addressing a closely related vulnerability in wsgiref referenced in related issues #55880 and #72964.

After discussing #142605, we pivoted from a direct fix to a documentation update because a fix would disrupt users who rely on using the vulnerability for non-malicious purposes.

The change documents the low-level vulnerability (i.e. absence of checking for CRLF) in mehod-specific sections while describing the high level implications (i.e. assuming sanitized input) under the "Security considerations" section.

  • Issue: gh-142533

📚 Documentation preview 📚: https://cpython-previews--143395.org.readthedocs.build/

tadejmagajna avatar Jan 03 '26 21:01 tadejmagajna

Hi, according to the Dev Guide, the document only changes don't need a news entry file.

aisk avatar Jan 04 '26 02:01 aisk