Require CRLF line endings in request line and headers

ruby / webrick

HTTP server toolkit

BSD 2-Clause "Simplified" License

286 stars 97 forks source link

Require CRLF line endings in request line and headers #138

Closed jeremyevans closed 5 months ago

jeremyevans commented 5 months ago

Disallow bare CR, LF, NUL in header and request lines. Tighten parsing of request lines to only allow single spaces, as specified in the RFCs.

Forcing this RFC-compliant behavior breaks a lot of tests, so fix the tests to correctly use CRLF instead of LF for requests (other than the specific checks for handling of bad requests).

Fixes #137

jeremyevans commented 5 months ago

@kenballus Thank you very much for your review. Since the RFCs do not require (MAY not MUST) the loose behavior, I would feel better about making things strict in order to reduce the chance of security issues, especially since other web servers are similarly strict.

kenballus commented 5 months ago

Agreed. LGTM.