From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Thu, 2 Apr 2026 21:32:48 +0000 (+0200)
Subject: [3.14] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH... 
X-Git-Tag: v3.14.4~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dbba26dabee2b685539df0c0d9e06bc21c4d2c3a;p=thirdparty%2FPython%2Fcpython.git

[3.14] gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395) (#148020)

gh-142533: Document CRLF injection vulnerabilities in http.server doc (GH-143395)
(cherry picked from commit 617f4cc1c2605b86b4833450253c3599b61d6638)

Co-authored-by: Tadej Magajna <tmagajna@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
---

diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
index b47da97d3f28..7705fa3f1408 100644
--- a/Doc/library/http.server.rst
+++ b/Doc/library/http.server.rst
@@ -287,6 +287,8 @@ instantiation, of which this module provides three different variants:
       specifying its value. Note that, after the send_header calls are done,
       :meth:`end_headers` MUST BE called in order to complete the operation.
 
+      This method does not reject input containing CRLF sequences.
+
       .. versionchanged:: 3.2
          Headers are stored in an internal buffer.
 
@@ -297,6 +299,8 @@ instantiation, of which this module provides three different variants:
       buffered and sent directly the output stream.If the *message* is not
       specified, the HTTP message corresponding the response *code*  is sent.
 
+      This method does not reject *message* containing CRLF sequences.
+
       .. versionadded:: 3.2
 
    .. method:: end_headers()
@@ -622,6 +626,11 @@ Security considerations
 requests, this makes it possible for files outside of the specified directory
 to be served.
 
+Methods :meth:`BaseHTTPRequestHandler.send_header` and
+:meth:`BaseHTTPRequestHandler.send_response_only` assume sanitized input
+and does not perform input validation such as checking for the presence of CRLF
+sequences. Untrusted input may result in HTTP Header injection attacks.
+
 Earlier versions of Python did not scrub control characters from the
 log messages emitted to stderr from ``python -m http.server`` or the
 default :class:`BaseHTTPRequestHandler` ``.log_message``