-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow \r\n
in Header text
#92
Comments
Hmmm, I can see how this would lead to unexpected headers... Unfortunately, we can't simply disallow \n, because headers can be multi-line: http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 Each additional line of the header must begin with at least one space or tab to be considered part of the previous line. So: addHeader "X-Foo" "Hey\r\n Content-Type: bla" should parse as a single X-Foo header with a multi-line value. I'm trying to think of the most graceful way to handle this. Maybe emit a warning to the console? "addHeader: header value contains newline character - X-Foo Hey\r\nContent-Type: blah" |
Header Injection is a security issue and should be treated accordingly. I suggest disallowing |
+1 to assuming this is a security violation. An alternative to addHeaderMultiline is to introduce a |
Explicitly disallowing multiline headers by default it's an additional prevention against HTTP Response Splitting, by which Cache Poisoning can be done |
If I understand correctly, multiline headers have been deprecated since RFC9110 superseded RFC2616 : https://www.rfc-editor.org/rfc/rfc9110.html#section-5.5-5 :
So I would vote for sanitizing headers in one way or another. |
Design notes from a former PR review: #359 (comment) |
As the following program illustrates, it is possible to set more than one HTTP header by passing a string containing
\r\n
tosetHeader
, possibly leading to duplicate headers:Of course, data should ideally be sanitized before it reaches all they way to
setHeader
, but it would nonetheless be good to disallow this at thesetHeader
level, or possibly even lower-level than that.The text was updated successfully, but these errors were encountered: