Open kenballus opened 2 months ago
The suggested fix here would be to either
- reject messages containing CR or LF within header values, or
- replace those characters with spaces before processing the request.
Don't try to sanitize, just reject, it's way safer
Agreed.
I remember that curl on parsing response headers specifically allows any line ending. Is anything dangerous to do this from a client perspective?
It would depend on the context. Permissiveness often has associated risk, but changing default behavior in a program as popular as curl can have serious unintended consequences. Not sure what the path forward is on the client side (if anything).
From RFC 9110:
uhttpd does not enforce this rule for CR and LF. This leads to a pretty poor interaction with certain load balancers. See https://github.com/litespeedtech/openlitespeed/issues/394 for more details.
The suggested fix here would be to either