wsgiref HTTP Response Header Injection: CRLF Injection

[RAUSHANRAJ]

BPO	28778
Nosy	@vadmium, @epicfaace
PRs	bpo-11671: add header validation from http.client to wsgiref.headers.Headers #15299
Dependencies	bpo-11671: Security hole in wsgiref.headers.Headers

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2016-11-23.08:51:14.519>
labels = ['type-security', 'library', '3.9']
title = 'wsgiref HTTP Response Header Injection: CRLF Injection'
updated_at = <Date 2019-08-15.04:21:51.173>
user = 'https://bugs.python.org/RAUSHANRAJ'

bugs.python.org fields:

activity = <Date 2019-08-15.04:21:51.173>
actor = 'epicfaace'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2016-11-23.08:51:14.519>
creator = 'RAUSHAN RAJ'
dependencies = ['11671']
files = []
hgrepos = []
issue_num = 28778
keywords = ['patch']
message_count = 2.0
messages = ['281546', '306975']
nosy_count = 3.0
nosy_names = ['martin.panter', 'RAUSHAN RAJ', 'epicfaace']
pr_nums = ['15299']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue28778'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.9']

[RAUSHANRAJ]

https://www.owasp.org/index.php/CRLF_Injection

Issue is in wsgiref.headers – WSGI response header tools
This module provides a single class, Headers, for convenient manipulation of WSGI response headers using a mapping-like interface.
class wsgiref.headers.Headers(headers)

Example:
import wsgiref.headers as hd
h=hd.Headers([])
h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain')
h
Headers([(' Content-type\nset-cook:5', 'text/plain')])
str(h)
' Content-type\nset-cook:5: text/plain\r\n\r\n'

Response in Browser looks like this:

Inline image 1
An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.

Also,
No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.

But add_header function allow whitespaces also.

Tested for python 2.7.9 and python 3.5.1

For reference , it is related to (In this case request header injection is possible)
https://bugs.python.org/issue22928
http://bugs.python.org/issue17322

[vadmium]

bpo-11671 is closely related and has a patch proposing to ban control characters including CRLF (but not spaces).

Also see bpo-22928 which added header field validation to the HTTP client module.