[Bug]: Non-ASCII HTTP header values are not supported

[mmanes]

What happened?

If an HTTP request contains a header value containing non-ASCII characters, the connection is closed without sending a response. This was observed while running behind a CloudFlare proxy with the "Add visitor location headers" managed transform enabled. The problematic header which triggered the issue was cf-region: São Paulo.

Related

• https://github.com/FusionAuth/java-http/issues/25

Version

1.47.1

Affects Versions

>= 1.41.0

[robotdan]

This doesn’t seem to be legal. Perhaps it is standard that people do it anyway?

https://www.rfc-editor.org/rfc/rfc7230#section-3.2

Maybe other implementations just throw out the header ?

Surprising that CloudFlare adds non-escaped unicode characters to their HTTP headers. Or maybe we are decoding them correctly and then not handling the decoded characters?

[mmanes]

It doesn't appear to be explicitly illegal either, and it seems most software supports it. In this case, we aren't attempting to decode the characters, we just kill the connection if a header byte is out of range.

I would have expected CF to using something like this, but here we are.

[robotdan]

@mmanes shouldn't the affects versions by any version that is using java-http? That would be >= 1.41.0

• https://fusionauth.io/docs/release-notes/#version-1-41-0

[mmanes]

@mmanes shouldn't the affects versions by any version that is using java-http? That would be >= 1.41.0

* https://fusionauth.io/docs/release-notes/#version-1-41-0

@robotdan Did I miss something?