Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Should libcurl validate HTTP headers?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Demi Marie Obenour <demiobenour_at_gmail.com>
Date: Mon, 13 Apr 2026 18:13:19 -0400
On 4/13/26 01:56, Daniel Stenberg wrote:
> On Sun, 12 Apr 2026, Demi Marie Obenour via curl-library wrote:
>
>> I'm wondering if libcurl should validate the HTTP headers provided to it.
>> I know that it currently doesn't, but passing a bad header is almost
>> certainly an app bug.
>
> Maybe it should. There has been no demand for this from actual uses over the
> years but it is one of the most commonly reported claimed "security
> vulnerabilities" that we reject.
Interestingly, for Nginx this *does* lead to issues in the wild, largely
due to users using decoded parts of the URL in headers. Those can contain
newlines.
> Additionally: there are also other options that accept almost anything the
> user passes in that can end up in outgoing protocol exchanges.
Not surprised.
Received on 2026-04-14
Date: Mon, 13 Apr 2026 18:13:19 -0400
On 4/13/26 01:56, Daniel Stenberg wrote:
> On Sun, 12 Apr 2026, Demi Marie Obenour via curl-library wrote:
>
>> I'm wondering if libcurl should validate the HTTP headers provided to it.
>> I know that it currently doesn't, but passing a bad header is almost
>> certainly an app bug.
>
> Maybe it should. There has been no demand for this from actual uses over the
> years but it is one of the most commonly reported claimed "security
> vulnerabilities" that we reject.
Interestingly, for Nginx this *does* lead to issues in the wild, largely
due to users using decoded parts of the URL in headers. Those can contain
newlines.
> Additionally: there are also other options that accept almost anything the
> user passes in that can end up in outgoing protocol exchanges.
Not surprised.
-- Sincerely, Demi Marie Obenour (she/her/hers)
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-keys attachment: OpenPGP public key
- application/pgp-signature attachment: OpenPGP digital signature