[3.11] gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (#144371) (#145672)

2026-06-28 03:41:13 +00:00 · 2026-05-17 20:33:30 +02:00 · 2026-05-17 20:33:30 +02:00 · 3b80905fdc
commit 3b80905fdc
parent 9a23b75355
4 changed files with 25 additions and 1 deletions
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@ -855,6 +855,25 @@ def write(self, b):
        self.assertIsNotNone(h.status)
        self.assertIsNotNone(h.environ)

+    def testRaisesControlCharacters(self):
+        for c0 in control_characters_c0():
+            with self.subTest(c0):
+                base = BaseHandler()
+                with self.assertRaises(ValueError):
+                    base.start_response(c0, [('x', 'y')])
+
+                base = BaseHandler()
+                with self.assertRaises(ValueError):
+                    base.start_response('200 OK', [(c0, 'y')])
+
+                # HTAB (\x09) is allowed in header values, but not in names.
+                base = BaseHandler()
+                if c0 != "\t":
+                    with self.assertRaises(ValueError):
+                        base.start_response('200 OK', [('x', c0)])
+                else:
+                    base.start_response('200 OK', [('x', c0)])
+

 if __name__ == "__main__":
    unittest.main()
--- a/Lib/wsgiref/handlers.py
+++ b/Lib/wsgiref/handlers.py
@ -1,7 +1,7 @@
 """Base classes for server/gateway implementations"""

 from .util import FileWrapper, guess_scheme, is_hop_by_hop
-from .headers import Headers
+from .headers import Headers, _name_disallowed_re

 import sys, os, time

@ -237,6 +237,8 @@ def start_response(self, status, headers,exc_info=None):
        self.status = status
        self.headers = self.headers_class(headers)
        status = self._convert_string_type(status, "Status")
+        if _name_disallowed_re.search(status):
+            raise ValueError("Control characters are not allowed in status")
        assert len(status)>=4,"Status must be at least 4 characters"
        assert status[:3].isdigit(), "Status message must begin w/3-digit code"
        assert status[3]==" ", "Status message must have a space after code"
--- a/Misc/ACKS
+++ b/Misc/ACKS
@ -1021,6 +1021,7 @@ Wolfgang Langner
 Detlef Lannert
 Rémi Lapeyre
 Soren Larsen
+Seth Michael Larson
 Amos Latteier
 Piers Lauder
 Ben Laurie
--- a/Misc/NEWS.d/next/Security/2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
+++ b/Misc/NEWS.d/next/Security/2026-01-31-21-56-54.gh-issue-144370.fp9m8t.rst
@ -0,0 +1,2 @@
+Disallow usage of control characters in status in :mod:`wsgiref.handlers` to prevent HTTP header injections.
+Patch by Benedikt Johannes.