Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP headers validation #1408

Closed
wants to merge 2 commits into from
Closed

HTTP headers validation #1408

wants to merge 2 commits into from

Conversation

cy6erGn0m
Copy link
Contributor

Subsystem
ktor utils, server, client

Motivation
Currently, header name and values requirements are not strict enough since we only prohibit setting so-called "unsafe" headers while we allow setting illegal headers. Setting illegal header names or values may cause HTTP protocol violations, software incompatibility, security issues and other negative consequences.

Solution

  • restrict CIO HTTP parser so illegal names and values causing the request to be aborted
  • restrict API to not allow setting illegal headers via HeadersBuilder and server's ResponseHeaders

@cy6erGn0m cy6erGn0m requested a review from e5l October 22, 2019 09:38
@cy6erGn0m cy6erGn0m changed the title Cy/cio headers HTTP headers validation Oct 22, 2019
@cy6erGn0m cy6erGn0m added the Priority High priority or critical label Oct 22, 2019
@cy6erGn0m
Copy link
Contributor Author

Merged manually

@cy6erGn0m cy6erGn0m closed this Oct 23, 2019
@cy6erGn0m cy6erGn0m deleted the cy/cio-headers branch October 23, 2019 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug design Priority High priority or critical
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants