Ensure there is no new line character in header value

httprb · Feb 12, 2019 · 3b99add · 3b99add
1 parent e716108
commit 3b99add
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/lib/http/headers.rb b/lib/http/headers.rb
@@ -50,6 +50,7 @@ def delete(name)
     # @return [void]
     def add(name, value)
       name = normalize_header name.to_s
+      validate_value(value)
       Array(value).each { |v| @pile << [name, v.to_s] }
     end
 
@@ -209,5 +210,14 @@ def normalize_header(name)
 
       raise HeaderError, "Invalid HTTP header field name: #{name.inspect}"
     end
+
+    # Ensures there is no new line character in the header value
+    #
+    # @param [String] value
+    # @raise [HeaderError] if value includes new line character
+    def validate_value(value)
+      return unless value && value.include?("\n")
+      raise HeaderError, "Invalid HTTP header field value: #{value.inspect}"
+    end
   end
 end
diff --git a/spec/lib/http/headers_spec.rb b/spec/lib/http/headers_spec.rb
@@ -41,6 +41,11 @@
           to raise_error HTTP::HeaderError
       end
     end
+
+    it "fails with invalid header value" do
+      expect { headers.set "foo", "bar\nEvil-Header: evil-value" }.
+        to raise_error HTTP::HeaderError
+    end
   end
 
   describe "#[]=" do
@@ -127,6 +132,11 @@
           to raise_error HTTP::HeaderError
       end
     end
+
+    it "fails with invalid header value" do
+      expect { headers.add "foo", "bar\nEvil-Header: evil-value" }.
+        to raise_error HTTP::HeaderError
+    end
   end
 
   describe "#get" do