Security issue: HTTPRedirect exception can be used to inject headers
The HTTPRedirect exception does not validate the supplied URL - An invalid (eg. user supplied) URL can lead to header injection.
Eg raise HTTPRedirect('/foobar/\x0aSet-Cookie:%20somecookie=someval')
Of course the user code should validate the URL prior to raising HTTPRedirect, but failing to do so should raise an exception rather than leading to a potentially exploitable attack.
Reported by gwatts