Update handlers.py

benediktjohannes · web-flow · commit d952a1667028 · 2026-02-14T00:43:26.000+01:00
diff --git a/Lib/wsgiref/handlers.py b/Lib/wsgiref/handlers.py
@@ -236,14 +236,25 @@ def start_response(self, status, headers,exc_info=None):
             raise AssertionError("Headers already set!")
 
         self.status = status
+
+        # Do not change the next line unless you know you are
+        # doing because it indirectly prevents injections via C0 control
+        # characters in the following lines via raising a ValueError
+        # inside headers_class.
         self.headers = self.headers_class(headers)
-        status = self._convert_string_type(status, "Status", name=True)
+
+        status = self._convert_string_type(status, "Status")
+
+        regex = (_name_disallowed_re if name else _value_disallowed_re)
+        if regex.search(value):
+            raise ValueError("Control characters are not allowed in headers and status")
+
         self._validate_status(status)
 
         if __debug__:
             for name, val in headers:
-                name = self._convert_string_type(name, "Header name", name=True)
-                val = self._convert_string_type(val, "Header value", name=False)
+                name = self._convert_string_type(name, "Header name")
+                val = self._convert_string_type(val, "Header value")
                 assert not is_hop_by_hop(name),\
                        f"Hop-by-hop header, '{name}: {val}', not allowed"
 
@@ -260,9 +271,6 @@ def _validate_status(self, status):
     def _convert_string_type(self, value, title, *, name):
         """Convert/check value type."""
         if type(value) is str:
-            regex = (_name_disallowed_re if name else _value_disallowed_re)
-            if regex.search(value):
-                raise ValueError("Control characters not allowed in headers and status")
             return value
         raise AssertionError(
             "{0} must be of type str (got {1})".format(title, repr(value))
