search

valyala / fasthttp

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http
MIT License
21.94k stars 1.76k forks source link

`\r` is improperly permitted in header names. #1785

Closed kenballus closed 5 months ago

kenballus commented 5 months ago

From RFC 9112:

A sender MUST NOT generate a bare CR (a CR character not immediately followed by LF) within any protocol elements other than the content. A recipient of such a bare CR MUST consider that element to be invalid or replace each bare CR with SP before processing the element or forwarding the message.

FastHTTP does not enforce this rule in the context of header names.

To see this for yourself, run this FastHTTP server, and send the following request:

GET / HTTP/1.1\r\n
Host: whatever\r\n
\rtest: test\r\n
\r\n

Its response, after base64-decoding the pieces, should look something like this:

HTTPRequest(
    method=b'GET', uri=b'/', version=b'1.1',
    headers=[
        (b'\rtest2', b'test2'),
        (b'host', b'a'),
    ],
    body=b'',
)

The \r at the beginning of the first header name is invalid, and should cause the message to be rejected.

erikdubbelboer commented 5 months ago

@kenballus please check https://github.com/valyala/fasthttp/pull/1789