Incorrect Header Name Validation
kenballus opened this issue · comments
Mongoose does not sufficiently validate request headers in 2 ways:
- The RFCs specify that empty header names are invalid. Mongoose should therefore reject requests with empty header names.
- The RFCs specify that header names may contain only alphanumerics and a few other unreserved characters (see RFC 9110 section 5.6.2) Mongoose allows the following reserved characters within header names:
"
,(
,)
,,
,/
,;
,<
,=
,>
,?
,@
,[
,\
,]
,{
,}
, and the range\xc0-\xef
.
Mongoose already rejects empty header names:
Line 225 in e418da4
W.r.t. header names containing only certain characters: we do not see any issue with allowing any valid utf-8 character. Mongoose does not strictly follow the RFC, that has never been the goal.
Mongoose already rejects empty header names:
Wow; something must have been wrong with my testing code. Sorry for the hassle.
we do not see any issue with allowing any valid utf-8 character. Mongoose does not strictly follow the RFC, that has never been the goal.
That's a fair assessment, but you should be aware that \xc0-\xef
are not valid UTF-8 sequences because they are unpaired surrogates.
@kenballus that's a fair point about \xc0-\xef, I'll take a look!
Pushed bd53e46 to disallow invalid utf-8 in method, uri, header names.
Allow invalid utf-8 in header values and protocol