gh-143916: Allow HTAB in wsgiref header values #144118

sethmlarson · 2026-01-21T17:07:49Z

In #143917 we were overzealous, HTAB (0x09) is allowed in header values but not header names.

Issue: Reject control characters in wsgiref.headers.Headers #143916

vstinner · 2026-02-03T10:50:22Z

Lib/wsgiref/headers.py

                self._convert_string_type(v)

-    def _convert_string_type(self, value):
+    def _convert_string_type(self, value, *, name=False):


It may be safer to always require the name parameter:

Suggested change

def _convert_string_type(self, value, *, name=False):

def _convert_string_type(self, value, *, name):

vstinner · 2026-02-03T10:51:51Z

Lib/wsgiref/headers.py

        """Convert/check value type."""
        if type(value) is str:
-            if _control_chars_re.search(value):
+            if (_name_disallowed_re if name else _value_disallowed_re).search(value):


nitpick: I would prefer to write this code on two lines for better readability:

Suggested change

if (_name_disallowed_re if name else _value_disallowed_re).search(value):

regex = (_name_disallowed_re if name else _value_disallowed_re)

if regex.search(value):

vstinner · 2026-02-03T10:52:13Z

Lib/test/test_wsgiref.py

+                headers = Headers()
+                self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
+                self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
+                # HTAB is allowed in values, not names.


Suggested change

# HTAB is allowed in values, not names.

# HTAB (\x09) is allowed in values, not names.

vstinner · 2026-02-03T11:01:44Z

See also PR gh-144371 which rejects control characters in Lib/wsgiref/handlers.py.

Allow HTAB in wsgiref header values

f3f85c5

bedevere-app bot mentioned this pull request Jan 21, 2026

Reject control characters in wsgiref.headers.Headers #143916

Closed

bedevere-app bot added the awaiting review label Jan 21, 2026

sethmlarson added skip news and removed awaiting review labels Jan 21, 2026

benediktjohannes mentioned this pull request Jan 31, 2026

gh-144370: Disallow usage of control characters in status, headers and values for security #144371

Open

vstinner reviewed Feb 3, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gh-143916: Allow HTAB in wsgiref header values #144118

gh-143916: Allow HTAB in wsgiref header values #144118

sethmlarson commented Jan 21, 2026 •

edited by bedevere-app bot

Loading

Uh oh!

vstinner Feb 3, 2026

Uh oh!

vstinner Feb 3, 2026

Uh oh!

vstinner Feb 3, 2026

Uh oh!

vstinner commented Feb 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	def _convert_string_type(self, value, *, name=False):
	def _convert_string_type(self, value, *, name):

	if (_name_disallowed_re if name else _value_disallowed_re).search(value):
	regex = (_name_disallowed_re if name else _value_disallowed_re)
	if regex.search(value):

	# HTAB is allowed in values, not names.
	# HTAB (\x09) is allowed in values, not names.

Uh oh!

gh-143916: Allow HTAB in wsgiref header values #144118

Are you sure you want to change the base?

gh-143916: Allow HTAB in wsgiref header values #144118

Conversation

sethmlarson commented Jan 21, 2026 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vstinner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

vstinner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

vstinner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

vstinner commented Feb 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

sethmlarson commented Jan 21, 2026 •

edited by bedevere-app bot

Loading