search

valyala / fasthttp

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http
MIT License
21.94k stars 1.76k forks source link

`\r` and `\x00` are improperly permitted in header values #1794

Closed kenballus closed 4 months ago

kenballus commented 5 months ago

From RFC 9110, section 5.5:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

FastHTTP does not enforce this rule for \r (CR) and \x00 (NUL).

To see this for yourself, run this FastHTTP server, and send the following request:

GET / HTTP/1.1\r\n
Host: whatever\r\n
test: te\r\x00st\r\n
\r\n

The headers in its response, after base64-decoding, should look something like this:

('content-length', '0')
('host', 'whatever')
('test', 'te\r\x00st')

In order to comply with the RFC, the \r and \x00 within the last header value should have either

  1. caused the message to be rejected, or
  2. been translated to spaces.
erikdubbelboer commented 5 months ago

@kenballus please check https://github.com/valyala/fasthttp/pull/1796