gh-142533: Document CRLF injection vulnerability in http.server and wsgiref modules

tadejmagajna · tadejmagajna · commit b1edcf8b0949 · 2026-01-03T22:01:03.000+01:00
diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
@@ -287,6 +287,10 @@ instantiation, of which this module provides three different variants:
       specifying its value. Note that, after the send_header calls are done,
       :meth:`end_headers` MUST BE called in order to complete the operation.
 
+      This method does not reject input containing CRLF sequences allowing the
+      possibility of CRLF injection, where a single method call can inject
+      multiple arbitrary headers.
+
       .. versionchanged:: 3.2
          Headers are stored in an internal buffer.
 
@@ -555,6 +559,10 @@ Security considerations
 requests, this makes it possible for files outside of the specified directory
 to be served.
 
+The :meth:`BaseHTTPRequestHandler.send_header` method assumes sanitized input
+and does not perform input validation such as checking for the presence of CRLF
+sequences. Untrusted input may result in CRLF injection attacks.
+
 Earlier versions of Python did not scrub control characters from the
 log messages emitted to stderr from ``python -m http.server`` or the
 default :class:`BaseHTTPRequestHandler` ``.log_message``
diff --git a/Doc/library/wsgiref.rst b/Doc/library/wsgiref.rst
@@ -263,6 +263,9 @@ manipulation of WSGI response headers using a mapping-like interface.
 
          Content-Disposition: attachment; filename="bud.gif"
 
+      This method does not reject input containing CRLF sequences allowing the
+      possibility of CRLF injection, where a single method call can inject
+      multiple arbitrary headers.
 
    .. versionchanged:: 3.5
       *headers* parameter is optional.
@@ -896,4 +899,10 @@ directory and port number (default: 8000) on the command line::
             print("Shutting down.")
             httpd.server_close()
 
+Security considerations
+-----------------------
 
+The :class:`wsgiref.headers.Headers` class assumes sanitized input for header
+names and values and does not perform input validation such as checking for the
+presence of CRLF sequences. Untrusted input may result in CRLF injection
+attacks.
diff --git a/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst b/Misc/NEWS.d/next/Documentation/2026-01-03-21-54-25.gh-issue-142533.sZVFfn.rst
@@ -0,0 +1,2 @@
+Document CRLF injection vulnerability in :mod:`http.server` and
+:mod:`wsgiref` modules.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Document CRLF injection vulnerability in :mod:`http.server` and
	`2`	+:mod:`wsgiref` modules.