[3.13] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) (#148021)

gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) (cherry picked from commit 617f4cc1c2) Co-authored-by: Tadej Magajna <tmagajna@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>
2026-04-14 07:41:00 +00:00 · 2026-04-02 23:33:00 +02:00 · 2026-04-02 23:33:00 +02:00 · e43fae7a75
commit e43fae7a75
parent 45c92206eb
1 changed files with 9 additions and 0 deletions
--- a/Doc/library/http.server.rst
+++ b/Doc/library/http.server.rst
@ -247,6 +247,8 @@ provides three different variants:
      specifying its value. Note that, after the send_header calls are done,
      :meth:`end_headers` MUST BE called in order to complete the operation.

+      This method does not reject input containing CRLF sequences.
+
      .. versionchanged:: 3.2
         Headers are stored in an internal buffer.

@ -257,6 +259,8 @@ provides three different variants:
      buffered and sent directly the output stream.If the *message* is not
      specified, the HTTP message corresponding the response *code*  is sent.

+      This method does not reject *message* containing CRLF sequences.
+
      .. versionadded:: 3.2

   .. method:: end_headers()
@ -553,6 +557,11 @@ Security considerations
 requests, this makes it possible for files outside of the specified directory
 to be served.

+Methods :meth:`BaseHTTPRequestHandler.send_header` and
+:meth:`BaseHTTPRequestHandler.send_response_only` assume sanitized input
+and does not perform input validation such as checking for the presence of CRLF
+sequences. Untrusted input may result in HTTP Header injection attacks.
+
 Earlier versions of Python did not scrub control characters from the
 log messages emitted to stderr from ``python -m http.server`` or the
 default :class:`BaseHTTPRequestHandler` ``.log_message``