Prevent header injection through malformed response reason phrase
HttpResponse.reason_phrase is not correctly sanitized when creating a response body:
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
This results in an extra header in the response, which is not present in .headers.
The WSGI spec requires that the status line (which contains the reason phrase) must not contain whitespace or other control characters. Therefore, Django should sanitize the input.
This was previously reported to the Security Team by rasputinkaiser, however as reason phase is never intended to be user-controlled, it was not considered a vulnerability.
Change History
(10)
| Triage Stage: |
Unreviewed → Accepted
|
| Owner: |
set to Varun Kasyap Pentamaraju
|
| Status: |
new → assigned
|
| Patch needs improvement: |
set
|
| Patch needs improvement: |
unset
|
| Patch needs improvement: |
set
|
| Patch needs improvement: |
unset
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
https://github.com/django/django/pull/21290