Opened 42 minutes ago
#37100 new Bug
Prevent header injection through malformed response reason phrase
| Reported by: | Jake Howard | Owned by: | |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
HttpResponse.reason_phrase is not correctly sanitized when creating a response body:
HttpResponse( "body", reason="OK\r\nX-Injected-header: yes", )
This results in an extra header in the response, which is not present in .headers.
The WSGI spec requires that the status line (which contains the reason phrase) must not contain whitespace or other control characters. Therefore, Django should sanitize the input.
This was previously reported to the Security Team by rasputinkaiser, however as reason phase is never intended to be user-controlled, it was not considered a vulnerability.
Note:
See TracTickets
for help on using tickets.