From 38ea12629fc07a7c9bcf064cc02e7a64e3175e46 Mon Sep 17 00:00:00 2001 From: Ran Date: Fri, 17 Apr 2026 06:11:57 +0800 Subject: [PATCH] Pass only the header name to InvalidHeader exception Per @pajod review: the invalid header value may carry sensitive content, and raising it through the exception could leak it across security boundaries (browsers/proxies handling response splitting errors). Pass just the name instead. --- gunicorn/http/wsgi.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gunicorn/http/wsgi.py b/gunicorn/http/wsgi.py index a4a3d5ca..6ad839ca 100644 --- a/gunicorn/http/wsgi.py +++ b/gunicorn/http/wsgi.py @@ -170,7 +170,11 @@ def _make_early_hints_callback(req, sock, resp): if not TOKEN_RE.fullmatch(name): raise InvalidHeaderName('%r' % name) if not HEADER_VALUE_RE.fullmatch(value): - raise InvalidHeader('%r' % value) + # Pass only the name — the invalid value may contain + # sensitive data that shouldn't cross security boundaries + # via exception propagation (browsers/proxies may forward + # it to untrusted parties). + raise InvalidHeader('%r' % name) value = value.strip(" \t") response += f"{name}: {value}\r\n".encode('latin-1')