Validate header values #1796
Validate header values #1796
Conversation
| if (c >= 0x21 && c <= 0x7E) || // VCHAR | ||
| c == 0x20 || // SP | ||
| c == 0x09 || // HTAB | ||
| c >= 0x80 { // obs-text |
There was a problem hiding this comment.
RFC 9110 does allow for you to be a little less strict here, if you'd like:
Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message. Field values containing other CTL characters are also invalid; however, recipients MAY retain such characters for the sake of robustness when they appear within a safe context (e.g., an application-specific quoted string that will not be processed by any downstream HTTP parser).
There was a problem hiding this comment.
I think it's probably better to just reject these values like net/http does. Parsing the value to see if it's in a safe context will be complicated.
And improve error handling for bad headers.
Fixes #1794