[Django] #37100: Prevent header injection through malformed response reason phrase
12 views
Skip to first unread message
Django
May 15, 2026, 8:28:06 AM (6 days ago) May 15
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-----------------------------+-----------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: HTTP handling
Version: dev | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
`HttpResponse.reason_phrase` is not correctly sanitized when creating a
response body:
{{{#!python
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
}}}
This results in an extra header in the response, which is not present in
`.headers`.
The [https://peps.python.org/pep-0333/#the-start-response-callable WSGI
spec] requires that the status line (which contains the reason phrase)
must not contain whitespace or other control characters. Therefore, Django
should sanitize the input.
----
This was previously reported to the Security Team by rasputinkaiser,
however as reason phase is never intended to be user-controlled, it was
not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------+-----------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: HTTP handling
Version: dev | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------
`HttpResponse.reason_phrase` is not correctly sanitized when creating a
response body:
{{{#!python
HttpResponse(
"body",
reason="OK\r\nX-Injected-header: yes",
)
}}}
This results in an extra header in the response, which is not present in
`.headers`.
The [https://peps.python.org/pep-0333/#the-start-response-callable WSGI
spec] requires that the status line (which contains the reason phrase)
must not contain whitespace or other control characters. Therefore, Django
should sanitize the input.
----
This was previously reported to the Security Team by rasputinkaiser,
however as reason phase is never intended to be user-controlled, it was
not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
May 15, 2026, 12:06:15 PM (6 days ago) May 15
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------+------------------------------------
Reporter: Jake Howard | Owner: (none)
Type: Bug | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Component: HTTP handling | Version: dev
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Sarah Boyce):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:1>
Django
May 16, 2026, 1:55:04 AM (5 days ago) May 16
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Varun Kasyap Pentamaraju):
* owner: (none) => Varun Kasyap Pentamaraju
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:2>
Django
May 16, 2026, 4:08:09 AM (5 days ago) May 16
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
Comment:
https://github.com/django/django/pull/21290
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:3>
Django
May 18, 2026, 4:45:56 AM (3 days ago) May 18
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jake Howard):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:4>
Django
May 20, 2026, 11:41:42 PM (11 hours ago) May 20
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:5>
Django
4:02 AM (6 hours ago) 4:02 AM
to django-...@googlegroups.com
#37100: Prevent header injection through malformed response reason phrase
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
-------------------------------------+-------------------------------------
Changes (by Jake Howard):
* needs_better_patch: 0 => 1
--
* needs_better_patch: 0 => 1
Ticket URL: <https://code.djangoproject.com/ticket/37100#comment:6>
Reply all
Reply to author
Forward
0 new messages