gh-142533: Validate CRLF in send_response_only and add test

tadejmagajna · tadejmagajna · commit 2f0605aa2c90 · 2025-12-12T21:33:16.000+01:00
diff --git a/Lib/http/server.py b/Lib/http/server.py
@@ -552,6 +552,7 @@ def send_response_only(self, code, message=None):
                     message = ''
             if not hasattr(self, '_headers_buffer'):
                 self._headers_buffer = []
+            _validate_header_string(message)
             self._headers_buffer.append(("%s %d %s\r\n" %
                     (self.protocol_version, code, message)).encode(
                         'latin-1', 'strict'))
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
@@ -1052,6 +1052,19 @@ def test_header_buffering_of_send_response_only(self):
         handler.end_headers()
         self.assertEqual(output.numWrites, 1)
 
+    def test_send_response_only_rejects_crlf_message(self):
+        input = BytesIO(b'GET / HTTP/1.1\r\n\r\n')
+        output = AuditableBytesIO()
+        handler = SocketlessRequestHandler()
+        handler.rfile = input
+        handler.wfile = output
+        handler.request_version = 'HTTP/1.1'
+
+        with self.assertRaises(ValueError) as ctx:
+            handler.send_response_only(418, 'value\r\nSet-Cookie: custom=true')
+        self.assertIn('Invalid header name/value: contains CR or LF',
+                      str(ctx.exception))
+
     def test_header_buffering_of_send_header(self):
 
         input = BytesIO(b'GET / HTTP/1.1\r\n\r\n')
