HttpResponse does not filter CR/LF characters from headers

[Bob Thomas]

E-mail headers currently throw an exception when a CR or LF character is put into a header (see forbid_multi_line_headers in django/core/mail.py). HttpResponse should have the same or equivalent protection in place, probably in _convert_to_ascii. A basic patch based on forbid_multi_line_headers attached.

[rokclimb15]

I think this is an excellent idea from a security perspective. This will eliminate the possibility of HTTP response splitting in Django apps. I will test this patch over the weekend and seek a design decision on whether or not it should be included.

[Bob Thomas]

I discussed security implications with Jacob already; I'd rather not add any details here :)

[rokclimb15]

I have installed this patch on my production web server running many sites. No hiccups or 500 emails so far. Working on a couple of unit tests for this patch.

[mcroydon]

BadHeaderError should be documented.

[Bob Thomas]

Patch with doc and tests

[Bob Thomas]

Added documentation and tests. I can't build the documentation right now, so I would appreciate it if someone else could check it.

[Jacob]

(In [10709]) Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.

[Jacob]

(In [10711]) Fixed #10188: prevent newlines in HTTP headers. Thanks, bthomas.

[anonymous]

The patch seems to be incorrect since it's not checking whether value is iterable or not (which throws an exception).

Replacing

if '\n' in value or '\r' in value: 

with

if isinstance(value, str) and ('\n' in value or '\r' in value):

works for me.

[Alex Gaynor]

Fixed in r10712.

[Jacob]

Milestone 1.1 deleted

[Mariusz Felisiak <felisiak.mariusz@…>]

In 9bde906:

Refs #10188 -- Added tests for BadHeaderErrors when HTTP header with newlines cannot be encoded/decoded.