Unverified Commit 4f5ebd93 authored by Kenton Varda's avatar Kenton Varda Committed by GitHub

Merge pull request #597 from capnproto/permissive-http-headers

Fix header validation to match Fetch spec.
parents 7f513230 5500d544
......@@ -233,6 +233,29 @@ KJ_TEST("HttpHeaders parse invalid") {
"\r\n")) == nullptr);
}
KJ_TEST("HttpHeaders validation") {
auto table = HttpHeaderTable::Builder().build();
HttpHeaders headers(*table);
headers.add("Valid-Name", "valid value");
// The HTTP RFC prohibits control characters, but browsers only prohibit \0, \r, and \n. KJ goes
// with the browsers for compatibility.
headers.add("Valid-Name", "valid\x01value");
// The HTTP RFC does not permit non-ASCII values.
// KJ chooses to interpret them as UTF-8, to avoid the need for any expensive conversion.
// Browsers apparently interpret them as LATIN-1. Applications can reinterpet these strings as
// LATIN-1 easily enough if they really need to.
headers.add("Valid-Name", u8"valid€value");
KJ_EXPECT_THROW_MESSAGE("invalid header name", headers.add("Invalid Name", "value"));
KJ_EXPECT_THROW_MESSAGE("invalid header name", headers.add("Invalid@Name", "value"));
KJ_EXPECT_THROW_MESSAGE("invalid header value", headers.set(HttpHeaderId::HOST, "in\nvalid"));
KJ_EXPECT_THROW_MESSAGE("invalid header value", headers.add("Valid-Name", "in\nvalid"));
}
// =======================================================================================
class ReadFragmenter final: public kj::AsyncIoStream {
......
......@@ -461,7 +461,11 @@ static void requireValidHeaderName(kj::StringPtr name) {
static void requireValidHeaderValue(kj::StringPtr value) {
for (char c: value) {
KJ_REQUIRE(c >= 0x20, "invalid header value", value);
// While the HTTP spec suggests that only printable ASCII characters are allowed in header
// values, reality has a different opinion. See: https://github.com/httpwg/http11bis/issues/19
// We follow the browsers' lead.
KJ_REQUIRE(c != '\0' && c != '\r' && c != '\n', "invalid header value",
kj::encodeCEscape(value));
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment