search

ruby / webrick

HTTP server toolkit
BSD 2-Clause "Simplified" License
286 stars 97 forks source link

CR incorrectly permitted within header values #137

Closed kenballus closed 5 months ago

kenballus commented 5 months ago

WEBrick allows CR (\r) within header values. RFC 9110 says not to do this:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

The suggested fix here would be to reject requests with headers containing bare CR.

jeremyevans commented 5 months ago

@kenballus I submitted #138 to attempt to fix this, but it goes a little further than just disallowing CR in header values. Any chance you could review and let me know if I've made it stricter than what the RFCs allow?