Various medium-severity bug fixes#214
Conversation
Fixes for the following: - Resource-scope header values can inject outbound HTTP headers - Extension user-agent can inject outbound HTTP headers
And also from SystemRequest.toString()
oracle-contributor-agreement
Bot
added
the
OCA Verified
| } | ||
| for (int i = 0; i < value.length(); i++) { | ||
| char ch = value.charAt(i); | ||
| if (ch <= 0x1f || ch == 0x7f) { |
There was a problem hiding this comment.
Both name and value must be checked and there are different rules for them, this is what I got from GPT:
static boolean isValidHttpHeaderName(String name) {
if (name == null || name.isEmpty()) {
return false;
}
for (int i = 0; i < name.length(); i++) {
char c = name.charAt(i);
boolean valid =
(c >= 'A' && c <= 'Z') ||
(c >= 'a' && c <= 'z') ||
(c >= '0' && c <= '9') ||
c == '!' || c == '#' || c == '$' || c == '%' ||
c == '&' || c == '\'' || c == '*' || c == '+' ||
c == '-' || c == '.' || c == '^' || c == '_' ||
c == '`' || c == '|' || c == '~';
if (!valid) {
return false;
}
}
return true;
}
static boolean isValidHttpHeaderValue(String value) {
if (value == null) {
return false;
}
for (int i = 0; i < value.length(); i++) {
char c = value.charAt(i);
// Reject control chars except horizontal tab.
// This rejects CR/LF too, preventing header injection.
if ((c < 0x20 && c != '\t') || c == 0x7f) {
return false;
}
}
return true;
}
Also http2 and 3 should also check:
if (c >= 'A' && c <= 'Z') {
return false;
}
There was a problem hiding this comment.
We don't have a way for users to affect the header field that we send. We only allow appending to the value. So I don't think we need header field validation at this point.
The purpose of this change was to eliminate the chance of injected headers, so throwing an error on CR/LF is really the most important part. The current code change covers that with the simple <= 0x1f check.
2 participants
Fixed: