Closed TasosY2K closed 7 months ago
Thanks. I now check the path for non-printable bytes. I realize that the spec requires more than this (i.e. some printable characters must be escaped, in some cases depending on where they are). But hopefully this check addresses the security issue.
I also added checks for the header key and values (I believe these checks are compliant).
Header injection via CRLF escape in http.zig
It is possible to overwrite existing headers or to inject arbitrary headers in the response via CRLF injection in url parameters.
See
HTTP header injection
at https://www.invicti.com/blog/web-security/crlf-http-header/POC
Server
Client