[Django] #37100: Prevent header injection through malformed response reason phrase
33 views
Skip to first unread message
Django
May 15, 2026, 8:28:06 AMMay 15
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-----------------------------+-----------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: HTTP handling
Version: dev | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
`HttpResponse.reason_phrase` is not correctly sanitized when creating a
response body:
{{{#!python
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
}}}
This results in an extra header in the response, which is not present in
`.headers`.
The [https://peps.python.org/pep-0333/#the-start-response-callable WSGI
spec] requires that the status line (which contains the reason phrase)
must not contain whitespace or other control characters. Therefore, Django
should sanitize the input.
----
This was previously reported to the Security Team by rasputinkaiser,
however as reason phase is never intended to be user-controlled, it was
not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------+-----------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: HTTP handling
Version: dev | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
`HttpResponse.reason_phrase` is not correctly sanitized when creating a
response body:
{{{#!python
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
}}}
This results in an extra header in the response, which is not present in
`.headers`.
The [https://peps.python.org/pep-0333/#the-start-response-callable WSGI
spec] requires that the status line (which contains the reason phrase)
must not contain whitespace or other control characters. Therefore, Django
should sanitize the input.
----
This was previously reported to the Security Team by rasputinkaiser,
however as reason phase is never intended to be user-controlled, it was
not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
May 15, 2026, 12:06:15 PMMay 15
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------+------------------------------------
Reporter: Jake Howard | Owner: (none)
Type: Bug | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Component: HTTP handling | Version: dev
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Sarah Boyce):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:1>
Django
May 16, 2026, 1:55:04 AMMay 16
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Varun Kasyap Pentamaraju):
* owner: (none) => Varun Kasyap Pentamaraju
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:2>
Django
May 16, 2026, 4:08:09 AMMay 16
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
Comment:
https://github.com/django/django/pull/21290
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:3>
Django
May 18, 2026, 4:45:56 AMMay 18
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jake Howard):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:4>
Django
May 20, 2026, 11:41:42 PMMay 20
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:5>
Django
May 21, 2026, 4:02:53 AMMay 21
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Jake Howard):
* needs_better_patch: 0 => 1
--
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:6>
Django
May 21, 2026, 11:59:28 AMMay 21
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
* needs_better_patch: 1 => 0
--
* needs_better_patch: 1 => 0
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:7>
Django
May 22, 2026, 9:16:07 AMMay 22
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:8>
Django
May 22, 2026, 10:57:49 AMMay 22
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"53645750412efa1e9013004040db328bd515e0f1" 5364575]:
{{{#!CommitTicketReference repository=""
revision="53645750412efa1e9013004040db328bd515e0f1"
Fixed #37100 -- Prevented control characters in HttpResponse
reason_phrase.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:9>
Django
May 22, 2026, 10:58:26 AMMay 22
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"d7b3fed6a1f8204a120929d44f78b7538e3f0703" d7b3fed]:
{{{#!CommitTicketReference repository=""
revision="d7b3fed6a1f8204a120929d44f78b7538e3f0703"
[6.1.x] Fixed #37100 -- Prevented control characters in HttpResponse
reason_phrase.
Backport of 53645750412efa1e9013004040db328bd515e0f1 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:10>
Reply all
Reply to author
Forward
0 new messages