curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: HTTP header validation

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 29 Jan 2024 23:10:09 +0100 (CET)

On Mon, 29 Jan 2024, Stephen Booth via curl-library wrote:

> A sanity check in curl would have helped me find the problem but it sounds
> like there are reasons I'm not aware of for not attempting any validation.

In the early days of supporting custom HTTP headers, I know some users
provided headers like "header: foobar\nheader2:" when that was the only way to
provide a content-less header. In some even worse cases, more or less a full
request was manually crafted that way.

Know that, I have always been a little hesitant to add a check or to filter
off newlines from these headers as I fear it will break a number of legacy use
cases.

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2024-01-29

This message: [ Message body ]
Next message: Patrick Monnerat via curl-library: "Re: Seek problem with curl_formadd with CURLFORM_STREAM"
Previous message: Stephen Booth via curl-library: "Re: HTTP header validation"
In reply to: Stephen Booth via curl-library: "Re: HTTP header validation"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]