Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
HTTP header validation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stephen Booth via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Jan 2024 20:59:03 +0000
I've just been debugging a very weird bug in some scripted automation
The script takes a bearer token as a parameter that is inserted into
the http request using the -H curl flag.
I eventually tracked the problem down to the bearer token being passed
having an extra newline inserted at the end. This was copied through to
the http request (adding a blank line and making the server ignore any
subsequent http headers breaking the upload).
Clearly this is a bug in my scripts that need to do better input
validation but it does strike me that it might be prudent for curl to
at least check for line breaks in custom http headers. I expect I could
have inserted an entire extra header this way which just seems like a risk.
The counter argument would be that its not up to curl to validate that
the arguments of a -H flag are a valid header. What do other people think?
Stephen
Date: Mon, 29 Jan 2024 20:59:03 +0000
I've just been debugging a very weird bug in some scripted automation
The script takes a bearer token as a parameter that is inserted into
the http request using the -H curl flag.
I eventually tracked the problem down to the bearer token being passed
having an extra newline inserted at the end. This was copied through to
the http request (adding a blank line and making the server ignore any
subsequent http headers breaking the upload).
Clearly this is a bug in my scripts that need to do better input
validation but it does strike me that it might be prudent for curl to
at least check for line breaks in custom http headers. I expect I could
have inserted an entire extra header this way which just seems like a risk.
The counter argument would be that its not up to curl to validate that
the arguments of a -H flag are a valid header. What do other people think?
Stephen
-- ====================================================================== |epcc| Dr Stephen P Booth Principal Architect |epcc| |epcc| s.booth_at_epcc.ed.ac.uk Phone 0131 650 5746 |epcc| ====================================================================== -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-01-29