Skip to content

Commit fe18adf

Browse files
authored
Merge pull request from GHSA-hh82-3pmq-7frp
Motivation: The setObject methods that took arrays and iterators as arguments provided a way to bypass value validation. Modification: Add the missing value validation checks. Result: It is no longer possibel to bypass value validation in DefaultHeaders based implementations, including DefaultHttpHeaders.
1 parent cd91cf3 commit fe18adf

File tree

2 files changed

+30
-3
lines changed

2 files changed

+30
-3
lines changed

Diff for: codec-http/src/test/java/io/netty/handler/codec/http/DefaultHttpHeadersTest.java

+24-1
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
import org.junit.jupiter.api.Test;
2323
import org.junit.jupiter.api.function.Executable;
2424

25-
import java.util.Arrays;
25+
import java.util.Collections;
2626
import java.util.Iterator;
2727
import java.util.List;
2828
import java.util.Set;
@@ -41,6 +41,7 @@
4141

4242
public class DefaultHttpHeadersTest {
4343
private static final CharSequence HEADER_NAME = "testHeader";
44+
private static final CharSequence ILLEGAL_VALUE = "testHeader\r\nContent-Length:45\r\n\r\n";
4445

4546
@Test
4647
public void nullHeaderNameNotAllowed() {
@@ -234,6 +235,28 @@ public void setObjectIterable() {
234235
assertDefaultValues(headers, HeaderValue.THREE);
235236
}
236237

238+
@Test
239+
public void setCharSequenceValidatesValue() {
240+
final DefaultHttpHeaders headers = newDefaultDefaultHttpHeaders();
241+
assertThrows(IllegalArgumentException.class, new Executable() {
242+
@Override
243+
public void execute() throws Throwable {
244+
headers.set(HEADER_NAME, ILLEGAL_VALUE);
245+
}
246+
});
247+
}
248+
249+
@Test
250+
public void setIterableValidatesValue() {
251+
final DefaultHttpHeaders headers = newDefaultDefaultHttpHeaders();
252+
assertThrows(IllegalArgumentException.class, new Executable() {
253+
@Override
254+
public void execute() throws Throwable {
255+
headers.set(HEADER_NAME, Collections.singleton(ILLEGAL_VALUE));
256+
}
257+
});
258+
}
259+
237260
@Test
238261
public void toStringOnEmptyHeaders() {
239262
assertEquals("DefaultHttpHeaders[]", newDefaultDefaultHttpHeaders().toString());

Diff for: codec/src/main/java/io/netty/handler/codec/DefaultHeaders.java

+6-2
Original file line numberDiff line numberDiff line change
@@ -532,7 +532,9 @@ public T setObject(K name, Iterable<?> values) {
532532
if (v == null) {
533533
break;
534534
}
535-
add0(h, i, name, fromObject(name, v));
535+
V converted = fromObject(name, v);
536+
validateValue(valueValidator, name, converted);
537+
add0(h, i, name, converted);
536538
}
537539

538540
return thisT();
@@ -550,7 +552,9 @@ public T setObject(K name, Object... values) {
550552
if (v == null) {
551553
break;
552554
}
553-
add0(h, i, name, fromObject(name, v));
555+
V converted = fromObject(name, v);
556+
validateValue(valueValidator, name, converted);
557+
add0(h, i, name, converted);
554558
}
555559

556560
return thisT();

0 commit comments

Comments
 (0)