Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: HTTP header validation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Jan 2024 23:10:09 +0100 (CET)
On Mon, 29 Jan 2024, Stephen Booth via curl-library wrote:
> A sanity check in curl would have helped me find the problem but it sounds
> like there are reasons I'm not aware of for not attempting any validation.
In the early days of supporting custom HTTP headers, I know some users
provided headers like "header: foobar\nheader2:" when that was the only way to
provide a content-less header. In some even worse cases, more or less a full
request was manually crafted that way.
Know that, I have always been a little hesitant to add a check or to filter
off newlines from these headers as I fear it will break a number of legacy use
cases.
Date: Mon, 29 Jan 2024 23:10:09 +0100 (CET)
On Mon, 29 Jan 2024, Stephen Booth via curl-library wrote:
> A sanity check in curl would have helped me find the problem but it sounds
> like there are reasons I'm not aware of for not attempting any validation.
In the early days of supporting custom HTTP headers, I know some users
provided headers like "header: foobar\nheader2:" when that was the only way to
provide a content-less header. In some even worse cases, more or less a full
request was manually crafted that way.
Know that, I have always been a little hesitant to add a check or to filter
off newlines from these headers as I fear it will break a number of legacy use
cases.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-01-29