Mercurial > dovecot > core-2.2
changeset 21526:6109df9e091b
lib-http: http_client_request_add_header() - Add key/value asserts
These don't check that they're entirely correct as required by HTTP
specifications. They're mainly there as a quick check that if the caller
didn't validate the key/value in any way, we'll crash instead of creating
a potential security hole. (Because with line feeds the attacker could
add extra headers or even entirely new HTTP requests.)
author | Timo Sirainen <timo.sirainen@dovecot.fi> |
---|---|
date | Fri, 10 Feb 2017 15:27:13 +0200 |
parents | cea8065bd571 |
children | 09c06f63c8c4 |
files | src/lib-http/http-client-request.c |
diffstat | 1 files changed, 3 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-http/http-client-request.c Mon Feb 13 09:09:28 2017 +0200 +++ b/src/lib-http/http-client-request.c Fri Feb 10 15:27:13 2017 +0200 @@ -301,6 +301,9 @@ /* allow calling for retries */ req->state == HTTP_REQUEST_STATE_GOT_RESPONSE || req->state == HTTP_REQUEST_STATE_ABORTED); + /* make sure key or value can't break HTTP headers entirely */ + i_assert(strpbrk(key, ":\r\n") == NULL); + i_assert(strpbrk(value, "\r\n") == NULL); /* mark presence of special headers */ switch (key[0]) {