search

yesodweb / wai

Haskell Web Application Interface
MIT License
835 stars 263 forks source link

`wai` allows invalid HTTP headers #628

Open danclien opened 7 years ago

danclien commented 7 years ago

General

wai allows HTTP header names with spaces which breaks Chrome (returns an ERR_SPDY_PROTOCOL_ERROR error) when using HTTP/2.

We discovered this while using an AWS Application Load Balancer (ALB) which automatically upgrades the connection between the browser and the ALB to HTTP/2. The connection between the ALB and the server was HTTP/1.1.

Relevant RFCs

HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 -- https://tools.ietf.org/html/rfc2616#section-4.2

The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon). -- https://tools.ietf.org/html/rfc822#section-3.1.2

Example

{-# LANGUAGE OverloadedStrings #-}

import Network.Wai (responseLBS, Application)
import Network.Wai.Handler.Warp (run)
import Network.HTTP.Types (status200)
import Network.HTTP.Types.Header (hContentType)

main = do
    let port = 80
    putStrLn $ "Listening on port " ++ show port
    run port app

app :: Application
app req f =
    f $ responseLBS status200 [(hContentType, "text/plain"), ("A A", "foo")] "Hello world!"
kazu-yamamoto commented 7 years ago

Which is better?

danclien commented 7 years ago

I prefer failing fast by throwing an error if broken headers are found, but I know that can also break other people's code.

pbrinkmeier commented 7 months ago

@kazu-yamamoto I could set up a PR that adds a middleware to wai-extra to address this? This middleware could also validate header values, both keys and values are not allowed to contain any control characters iirc (i can research the RFC, just need to hear if you'd be willing to merge something like that).

kazu-yamamoto commented 6 months ago

@pbrinkmeier Sorry for the delay. Yes, please.

pbrinkmeier commented 6 months ago

I will do it in the next few days, thanks for getting back to me :)

kazu-yamamoto commented 6 months ago

Closing.