#10188 closed (fixed)
HttpResponse does not filter CR/LF characters from headers
Reported by: | Bob Thomas | Owned by: | rokclimb15 |
---|---|---|---|
Component: | HTTP handling | Version: | 1.0 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
E-mail headers currently throw an exception when a CR or LF character is put into a header (see forbid_multi_line_headers in django/core/mail.py). HttpResponse should have the same or equivalent protection in place, probably in _convert_to_ascii. A basic patch based on forbid_multi_line_headers attached.
Attachments (2)
Change History (16)
by , 16 years ago
Attachment: | badheader.diff added |
---|
comment:1 by , 16 years ago
Component: | Uncategorized → HTTP handling |
---|
comment:2 by , 16 years ago
Needs tests: | set |
---|---|
Owner: | changed from | to
Triage Stage: | Unreviewed → Design decision needed |
comment:3 by , 16 years ago
milestone: | → 1.1 |
---|---|
Triage Stage: | Design decision needed → Accepted |
comment:4 by , 16 years ago
I discussed security implications with Jacob already; I'd rather not add any details here :)
comment:5 by , 16 years ago
I have installed this patch on my production web server running many sites. No hiccups or 500 emails so far. Working on a couple of unit tests for this patch.
comment:7 by , 16 years ago
Needs documentation: | unset |
---|---|
Needs tests: | unset |
Added documentation and tests. I can't build the documentation right now, so I would appreciate it if someone else could check it.
comment:8 by , 16 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:9 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:10 by , 16 years ago
comment:11 by , 16 years ago
Patch needs improvement: | set |
---|---|
Resolution: | fixed |
Status: | closed → reopened |
The patch seems to be incorrect since it's not checking whether value is iterable or not (which throws an exception).
Replacing
if '\n' in value or '\r' in value:
with
if isinstance(value, str) and ('\n' in value or '\r' in value):
works for me.
I think this is an excellent idea from a security perspective. This will eliminate the possibility of HTTP response splitting in Django apps. I will test this patch over the weekend and seek a design decision on whether or not it should be included.