Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: HTTP header validation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stephen Booth via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Jan 2024 22:05:53 +0000
On 29/01/2024 21:34, Dan Fandrich via curl-library wrote:
> This is a case of GIGO. The man page even warns against this:
>
> curl makes sure that each header you add/replace is sent with the proper
> end-of-line marker, you should thus not add that as a part of the header
> content: do not add newlines or carriage returns, they only mess things up
> for you. curl passes on the verbatim string you give it without any filter
> or other safe guards. That includes white space and control characters.
I was certainly not trying to do this intentionally and GIGO is
absolutely fair comment. Curl was the last place the check could have
been performed rather than the place where it should have been.
A sanity check in curl would have helped me find the problem but it
sounds like there are reasons I'm not aware of for not attempting any
validation.
Stephen
Date: Mon, 29 Jan 2024 22:05:53 +0000
On 29/01/2024 21:34, Dan Fandrich via curl-library wrote:
> This is a case of GIGO. The man page even warns against this:
>
> curl makes sure that each header you add/replace is sent with the proper
> end-of-line marker, you should thus not add that as a part of the header
> content: do not add newlines or carriage returns, they only mess things up
> for you. curl passes on the verbatim string you give it without any filter
> or other safe guards. That includes white space and control characters.
I was certainly not trying to do this intentionally and GIGO is
absolutely fair comment. Curl was the last place the check could have
been performed rather than the place where it should have been.
A sanity check in curl would have helped me find the problem but it
sounds like there are reasons I'm not aware of for not attempting any
validation.
Stephen
-- ====================================================================== |epcc| Dr Stephen P Booth Principal Architect |epcc| |epcc| s.booth_at_epcc.ed.ac.uk Phone 0131 650 5746 |epcc| ====================================================================== -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-01-29