curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: HTTP header validation

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Jan 2024 23:10:09 +0100 (CET)

On Mon, 29 Jan 2024, Stephen Booth via curl-library wrote:

> A sanity check in curl would have helped me find the problem but it sounds
> like there are reasons I'm not aware of for not attempting any validation.

In the early days of supporting custom HTTP headers, I know some users
provided headers like "header: foobar\nheader2:" when that was the only way to
provide a content-less header. In some even worse cases, more or less a full
request was manually crafted that way.

Know that, I have always been a little hesitant to add a check or to filter
off newlines from these headers as I fear it will break a number of legacy use
cases.

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2024-01-29