—

PYSEC-2012-5

Details

CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tornado

Introduced in: 0 Fixed in: 2.2.1

Fix pip install --upgrade 'tornado>=2.2.1'

References

http://www.tornadoweb.org/documentation/releases/v2.2.1.html [WEB]
http://openwall.com/lists/oss-security/2012/05/18/12 [WEB]
http://secunia.com/advisories/49185 [ADVISORY]
http://www.securityfocus.com/bid/53612 [WEB]
http://www.openwall.com/lists/oss-security/2012/05/18/6 [WEB]
https://github.com/advisories/GHSA-f7fv-v9rh-prvc [ADVISORY]