CRLF injection using headers
n0npax opened this issue · comments
Example code and a full description can be found here: https://github.com/n0npax/dart-test-http2
Basically, a header like the one below was accepted by the library and passed to the downstream service.
var headers = [
// ...
Header.ascii(':scheme', uri.scheme),
Header.ascii('test0', "llama0\r\nHackiery: example.com"),
Header.ascii('test1', "llama1"),
// ...
]
var stream = transport.makeRequest(headers, endStream: true);
The request was interpreted by the server as:
Remote-Addr: 127.0.0.1
Host: localhost
Test0: llama0
Hackiery: example.com
Test1: llama1
Test2: llama2
As you can see Hackiery: example.com
was interpreted as a new header.
This looks like a CRLF
injection/header forgery issue.
I believe this is a security risk if the user can manipulate a header value.
Wrong description. Issue may not be crlf, but just not validated header. Need to check if this is real issue