gh-143916: Reject control characters in wsgiref.headers.Headers #143917

sethmlarson · 2026-01-16T17:08:32Z

Issue: Reject control characters in wsgiref.headers.Headers #143916

Lib/test/test_wsgiref.py

miss-islington-app · 2026-01-17T17:46:24Z

Thanks @sethmlarson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

…pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

miss-islington-app · 2026-01-17T17:46:43Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.13

miss-islington-app · 2026-01-17T17:46:46Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.12

bedevere-app · 2026-01-17T17:46:47Z

GH-143972 is a backport of this pull request to the 3.14 branch.

miss-islington-app · 2026-01-17T17:46:50Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.11

miss-islington-app · 2026-01-17T17:46:53Z

Sorry, @sethmlarson and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f7fceed79ca1bceae8dbe5ba5bc8928564da7211 3.10

…pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed)

gpshead · 2026-01-17T18:02:39Z

#143973 for 3.13

bedevere-app · 2026-01-17T18:03:23Z

GH-143973 is a backport of this pull request to the 3.13 branch.

GH-143917) (#143972) gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

GH-143917) (#143973) gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) * Add 'test.support' fixture for C0 control characters * gh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) Co-authored-by: Seth Michael Larson <seth@python.org>

…Headers (pythonGH-143917) (pythonGH-143973) pythongh-143916: Reject control characters in wsgiref.headers.Headers (pythonGH-143917) * Add 'test.support' fixture for C0 control characters * pythongh-143916: Reject control characters in wsgiref.headers.Headers (cherry picked from commit f7fceed) (cherry picked from commit 22e4d55) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Seth Michael Larson <seth@python.org>

bedevere-bot · 2026-01-17T19:42:27Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 macOS 3.13 (tier-2) has failed when building commit 22e4d55.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1404/builds/1475) and take a look at the build logs.
Check if the failure is related to this commit (22e4d55) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1404/builds/1475

Failed tests:

test_urllib2net

Summary of the results of the build (if available):

==

Click to see traceback logs

remote: Enumerating objects: 14, done.        
remote: Counting objects:   8% (1/12)        
remote: Counting objects:  16% (2/12)        
remote: Counting objects:  25% (3/12)        
remote: Counting objects:  33% (4/12)        
remote: Counting objects:  41% (5/12)        
remote: Counting objects:  50% (6/12)        
remote: Counting objects:  58% (7/12)        
remote: Counting objects:  66% (8/12)        
remote: Counting objects:  75% (9/12)        
remote: Counting objects:  83% (10/12)        
remote: Counting objects:  91% (11/12)        
remote: Counting objects: 100% (12/12)        
remote: Counting objects: 100% (12/12), done.        
remote: Total 14 (delta 11), reused 11 (delta 11), pack-reused 2 (from 1)        
From https://github.com/python/cpython
 * branch                    3.13       -> FETCH_HEAD
Note: switching to '22e4d55285cee52bc4dbe061324e5f30bd4dee58'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 22e4d55285c [3.13] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (#143973)
Switched to and reset branch '3.13'

./Modules/selectmodule.c:1988:35: warning: cast from 'PyObject *(*)(PyObject *)' (aka 'struct _object *(*)(struct _object *)') to 'PyCFunction' (aka 'struct _object *(*)(struct _object *, struct _object *)') converts to incompatible function type [-Wcast-function-type-mismatch]
 1988 |     "kqueue_tracking_after_fork", (PyCFunction)kqueue_tracking_after_fork,
      |                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

make: *** [buildbottest] Error 2

sethmlarson added 2 commits January 16, 2026 10:54

Add 'test.support' fixture for C0 control characters

e7f180b

pythongh-143916: Reject control characters in wsgiref.headers.Headers

b8fcac2

sethmlarson added type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jan 16, 2026

bedevere-app bot mentioned this pull request Jan 16, 2026

Reject control characters in wsgiref.headers.Headers #143916

Open

sethmlarson requested a review from gpshead January 16, 2026 17:08

bedevere-app bot added the awaiting review label Jan 16, 2026

webknjaz reviewed Jan 16, 2026

View reviewed changes

Lib/test/test_wsgiref.py Show resolved Hide resolved

gpshead approved these changes Jan 17, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting review labels Jan 17, 2026

gpshead merged commit f7fceed into python:main Jan 17, 2026
65 checks passed

bedevere-app bot removed the awaiting merge label Jan 17, 2026

miss-islington-app bot assigned gpshead Jan 17, 2026

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jan 17, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jan 17, 2026

gpshead mentioned this pull request Jan 17, 2026

[3.12] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143974

Open

gpshead mentioned this pull request Jan 17, 2026

[3.11] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143975

Open

gpshead mentioned this pull request Jan 17, 2026

[3.10] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) (GH-143973) #143976

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

sethmlarson commented Jan 16, 2026 •

edited by bedevere-app bot

Loading

Uh oh!

Uh oh!

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

bedevere-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

gpshead commented Jan 17, 2026

Uh oh!

bedevere-app bot commented Jan 17, 2026

Uh oh!

bedevere-bot commented Jan 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

gh-143916: Reject control characters in wsgiref.headers.Headers #143917

Conversation

sethmlarson commented Jan 16, 2026 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

bedevere-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

miss-islington-app bot commented Jan 17, 2026

Uh oh!

gpshead commented Jan 17, 2026

Uh oh!

bedevere-app bot commented Jan 17, 2026

Uh oh!

bedevere-bot commented Jan 17, 2026

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sethmlarson commented Jan 16, 2026 •

edited by bedevere-app bot

Loading