Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Should libcurl validate HTTP headers?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 13 Apr 2026 07:56:12 +0200 (CEST)
On Sun, 12 Apr 2026, Demi Marie Obenour via curl-library wrote:
> I'm wondering if libcurl should validate the HTTP headers provided to it.
> I know that it currently doesn't, but passing a bad header is almost
> certainly an app bug.
Maybe it should. There has been no demand for this from actual uses over the
years but it is one of the most commonly reported claimed "security
vulnerabilities" that we reject.
Additionally: there are also other options that accept almost anything the
user passes in that can end up in outgoing protocol exchanges.
Date: Mon, 13 Apr 2026 07:56:12 +0200 (CEST)
On Sun, 12 Apr 2026, Demi Marie Obenour via curl-library wrote:
> I'm wondering if libcurl should validate the HTTP headers provided to it.
> I know that it currently doesn't, but passing a bad header is almost
> certainly an app bug.
Maybe it should. There has been no demand for this from actual uses over the
years but it is one of the most commonly reported claimed "security
vulnerabilities" that we reject.
Additionally: there are also other options that accept almost anything the
user passes in that can end up in outgoing protocol exchanges.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-04-13