diff options
| author | James M Snell <jasnell@gmail.com> | 2016-02-03 17:32:23 -0800 |
|---|---|---|
| committer | James M Snell <jasnell@gmail.com> | 2016-02-09 09:22:09 -0800 |
| commit | 7bef1b790727430cb82bf8be80cfe058480de100 (patch) | |
| tree | 1531adfb2006b61473d551da6c3576e0272c5b0b /lib | |
| parent | 4f4c8ab3b4cea246d2ece6ca006fe280241d84a4 (diff) | |
| download | node-new-7bef1b790727430cb82bf8be80cfe058480de100.tar.gz | |
http: strictly forbid invalid characters from headers
PR-URL: https://github.com/nodejs/node-private/pull/26
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/_http_common.js | 17 | ||||
| -rw-r--r-- | lib/_http_outgoing.js | 15 |
2 files changed, 28 insertions, 4 deletions
diff --git a/lib/_http_common.js b/lib/_http_common.js index 5f5af3325e..328b6eea8a 100644 --- a/lib/_http_common.js +++ b/lib/_http_common.js @@ -231,3 +231,20 @@ function checkIsHttpToken(val) { return typeof val === 'string' && token.test(val); } exports._checkIsHttpToken = checkIsHttpToken; + +/** + * True if val contains an invalid field-vchar + * field-value = *( field-content / obs-fold ) + * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] + * field-vchar = VCHAR / obs-text + **/ +function checkInvalidHeaderChar(val) { + val = '' + val; + for (var i = 0; i < val.length; i++) { + const ch = val.charCodeAt(i); + if (ch === 9) continue; + if (ch <= 31 || ch > 255 || ch === 127) return true; + } + return false; +} +exports._checkInvalidHeaderChar = checkInvalidHeaderChar; diff --git a/lib/_http_outgoing.js b/lib/_http_outgoing.js index 450975b72a..56228f5139 100644 --- a/lib/_http_outgoing.js +++ b/lib/_http_outgoing.js @@ -305,8 +305,10 @@ function storeHeader(self, state, field, value) { throw new TypeError( 'Header name must be a valid HTTP Token ["' + field + '"]'); } - value = escapeHeaderValue(value); - state.messageHeader += field + ': ' + value + CRLF; + if (common._checkInvalidHeaderChar(value) === true) { + throw new TypeError('The header content contains invalid characters'); + } + state.messageHeader += field + ': ' + escapeHeaderValue(value) + CRLF; if (connectionExpression.test(field)) { state.sentConnectionHeader = true; @@ -341,8 +343,10 @@ OutgoingMessage.prototype.setHeader = function(name, value) { if (value === undefined) throw new Error('"value" required in setHeader("' + name + '", value)'); if (this._header) - throw new Error('Can\'t set headers after they are sent'); - + throw new Error('Can\'t set headers after they are sent.'); + if (common._checkInvalidHeaderChar(value) === true) { + throw new TypeError('The header content contains invalid characters'); + } if (this._headers === null) this._headers = {}; @@ -515,6 +519,9 @@ OutgoingMessage.prototype.addTrailers = function(headers) { throw new TypeError( 'Trailer name must be a valid HTTP Token ["' + field + '"]'); } + if (common._checkInvalidHeaderChar(value) === true) { + throw new TypeError('The header content contains invalid characters'); + } this._trailer += field + ': ' + escapeHeaderValue(value) + CRLF; } }; |