http: strictly forbid invalid characters from headers

PR-URL: https://github.com/nodejs/node-private/pull/26 Reviewed-By: Rod Vagg <r@va.gg> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
author: James M Snell <jasnell@gmail.com> 2016-02-03 17:32:23 -0800
committer: James M Snell <jasnell@gmail.com> 2016-02-09 09:22:09 -0800
commit: 7bef1b790727430cb82bf8be80cfe058480de100 (patch)
tree: 1531adfb2006b61473d551da6c3576e0272c5b0b /lib/_http_common.js
parent: 4f4c8ab3b4cea246d2ece6ca006fe280241d84a4 (diff)
download: node-new-7bef1b790727430cb82bf8be80cfe058480de100.tar.gz
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/_http_common.js b/lib/_http_common.js
index 5f5af3325e..328b6eea8a 100644
--- a/lib/_http_common.js
+++ b/lib/_http_common.js
@@ -231,3 +231,20 @@ function checkIsHttpToken(val) {
   return typeof val === 'string' && token.test(val);
 }
 exports._checkIsHttpToken = checkIsHttpToken;
+
+/**
+ * True if val contains an invalid field-vchar
+ *  field-value    = *( field-content / obs-fold )
+ *  field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+ *  field-vchar    = VCHAR / obs-text
+ **/
+function checkInvalidHeaderChar(val) {
+  val = '' + val;
+  for (var i = 0; i < val.length; i++) {
+    const ch = val.charCodeAt(i);
+    if (ch === 9) continue;
+    if (ch <= 31 || ch > 255 || ch === 127) return true;
+  }
+  return false;
+}
+exports._checkInvalidHeaderChar = checkInvalidHeaderChar;
author	James M Snell <jasnell@gmail.com>	2016-02-03 17:32:23 -0800
committer	James M Snell <jasnell@gmail.com>	2016-02-09 09:22:09 -0800
commit	7bef1b790727430cb82bf8be80cfe058480de100 (patch)
tree	1531adfb2006b61473d551da6c3576e0272c5b0b /lib/_http_common.js
parent	4f4c8ab3b4cea246d2ece6ca006fe280241d84a4 (diff)
download	node-new-7bef1b790727430cb82bf8be80cfe058480de100.tar.gz