gh-143916: Reject control characters in wsgiref.headers.Headers #143917

sethmlarson · 2026-01-16T17:08:32Z

Issue: Reject control characters in wsgiref.headers.Headers #143916

Lib/test/test_wsgiref.py

miss-islington-app · 2026-01-17T17:46:24Z

Thanks @sethmlarson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

…pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

miss-islington-app · 2026-01-17T17:46:43Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.13

miss-islington-app · 2026-01-17T17:46:46Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.12

bedevere-app · 2026-01-17T17:46:47Z

GH-143972 is a backport of this pull request to the 3.14 branch.

miss-islington-app · 2026-01-17T17:46:50Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.11

miss-islington-app · 2026-01-17T17:46:53Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.10

…pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed)

gpshead · 2026-01-17T18:02:39Z

#143973 for 3.13

bedevere-app · 2026-01-17T18:03:23Z

GH-143973 is a backport of this pull request to the 3.13 branch.

GH-143917) (#143972) gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

GH-143917) (#143973) gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

…Headers (pythonGH-143917) (pythonGH-143973) pythongh-143916: Reject control characters in wsgiref.headers.Headers (pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) (cherry picked from commit 22e4d55) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Seth Michael Larson <seth@python.org>

bedevere-bot · 2026-01-17T19:42:27Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 macOS 3.13 (tier-2) has failed when building commit 22e4d55.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1404/builds/1475) and take a look at the build logs.
Check if the failure is related to this commit (22e4d55) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1404/builds/1475

Failed tests:

test_urllib2net

Summary of the results of the build (if available):

==

Click to see traceback logs

remote: Enumerating objects: 14, done. remote: Counting objects: 8% (1/12) remote: Counting objects: 16% (2/12) remote: Counting objects: 25% (3/12) remote: Counting objects: 33% (4/12) remote: Counting objects: 41% (5/12) remote: Counting objects: 50% (6/12) remote: Counting objects: 58% (7/12) remote: Counting objects: 66% (8/12) remote: Counting objects: 75% (9/12) remote: Counting objects: 83% (10/12) remote: Counting objects: 91% (11/12) remote: Counting objects: 100% (12/12) remote: Counting objects: 100% (12/12), done. remote: Total 14 (delta 11), reused 11 (delta 11), pack-reused 2 (from 1)  From https://github.com/python/cpython * branch 3.13 -> FETCH_HEAD Note: switching to '22e4d55285cee52bc4dbe061324e5f30bd4dee58'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c <new-branch-name> Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false HEAD is now at 22e4d55285c [3.13] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (#143973) Switched to and reset branch '3.13' ./Modules/selectmodule.c:1988:35: warning: cast from 'PyObject *(*)(PyObject *)' (aka 'struct _object *(*)(struct _object *)') to 'PyCFunction' (aka 'struct _object *(*)(struct _object *, struct _object *)') converts to incompatible function type [-Wcast-function-type-mismatch] 1988 | "kqueue_tracking_after_fork", (PyCFunction)kqueue_tracking_after_fork, |^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. make: *** [buildbottest] Error 2

GH-143917) (GH-143973) (#143974) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) (cherry picked from commit 22e4d55) Co-authored-by: Seth Michael Larson <seth@python.org>

gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) (cherry picked from commit 22e4d55) Co-authored-by: Seth Michael Larson <seth@python.org>

sethmlarson added 2 commits January 16, 2026 10:54

Add 'test.support' fixture for C0 control characters
e7f180b

pythongh-143916: Reject control characters in wsgiref.headers.Headers
b8fcac2

sethmlarson added type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jan 16, 2026

bedevere-appbot mentioned this pull request Jan 16, 2026
Reject control characters in wsgiref.headers.Headers #143916
Closed

sethmlarson requested a review from gpshead January 16, 2026 17:08

bedevere-appbot added the awaiting review label Jan 16, 2026

webknjaz reviewed Jan 16, 2026
View reviewed changes

Lib/test/test_wsgiref.pyShow resolvedHide resolved

gpshead approved these changes Jan 17, 2026
View reviewed changes

bedevere-appbot added awaiting merge and removed awaiting review labels Jan 17, 2026

gpshead merged commit f7fceed into python:mainJan 17, 2026
65 checks passed

bedevere-appbot removed the awaiting merge label Jan 17, 2026

miss-islington-appbot assigned gpshead Jan 17, 2026

bedevere-appbot removed the needs backport to 3.14 bugs and security fixes label Jan 17, 2026

bedevere-appbot removed the needs backport to 3.13 bugs and security fixes label Jan 17, 2026

gpshead mentioned this pull request Jan 17, 2026
[3.12] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143974
Merged

gpshead mentioned this pull request Jan 17, 2026
[3.11] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143975
Merged

gpshead mentioned this pull request Jan 17, 2026
[3.10] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143976
Merged

sethmlarson mentioned this pull request Jan 21, 2026
gh-143916: Allow HTAB in wsgiref header values #144118
Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

Uh oh!

sethmlarson commented Jan 16, 2026•
edited by bedevere-app bot
Loading

Uh oh!

Uh oh!

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

bedevere-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

gpshead commented Jan 17, 2026

Uh oh!

bedevere-appbot commented Jan 17, 2026

Uh oh!

bedevere-bot commented Jan 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

Uh oh!

Conversation

sethmlarson commented Jan 16, 2026• edited by bedevere-app botLoading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

bedevere-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

miss-islington-appbot commented Jan 17, 2026

Uh oh!

gpshead commented Jan 17, 2026

Uh oh!

bedevere-appbot commented Jan 17, 2026

Uh oh!

bedevere-bot commented Jan 17, 2026

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sethmlarson commented Jan 16, 2026•
edited by bedevere-app bot
Loading