diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2016-01-03 00:32:11 -0700 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2016-01-03 00:32:11 -0700 |
commit | 07e21576ef272a1bbd5410ef34f479e31ee68665 (patch) | |
tree | 9bdb2fb2d496d846606d884c7e9444d940b71a19 /waitress/task.py | |
parent | d49b149971cb521625a4bba45838d266d5397307 (diff) | |
download | waitress-07e21576ef272a1bbd5410ef34f479e31ee68665.tar.gz |
Check headers for line feed/carriage return chars
HTTP Response Splitting
(https://www.owasp.org/index.php/HTTP_Response_Splitting) could
potentially allow an attacker that is able to inject content into a HTTP
header (Location tends to be used) to send a response that will be
treated differently by the receiving client.
The fix used here is to raise ValueError from within start_response(),
using something similar to what mod_wsgi does by validating the header
values (seen here:
https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L134-L168)
It's a seatbelt, applications should not be returning headers with
control characters within the header, but it's hard to argue against
such a small change when it could have a large security impact for
applications serving WSGI apps with waitress.
Diffstat (limited to 'waitress/task.py')
-rw-r--r-- | waitress/task.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/waitress/task.py b/waitress/task.py index 7136c32..501547a 100644 --- a/waitress/task.py +++ b/waitress/task.py @@ -371,6 +371,10 @@ class WSGITask(Task): raise AssertionError( 'Header value %r is not a string in %r' % (v, (k, v)) ) + + if '\n' in v or '\r' in v: + raise ValueError("carriage return/line " + "feed character present in header value") kl = k.lower() if kl == 'content-length': self.content_length = int(v) |