Ensure there is no new line character in header value

httprb · Feb 12, 2019 · 90b1f8b · 90b1f8b
1 parent a90f89e
commit 90b1f8b
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/lib/http/headers.rb b/lib/http/headers.rb
@@ -50,7 +50,7 @@ def delete(name)
     # @return [void]
     def add(name, value)
       name = normalize_header name.to_s
-      Array(value).each { |v| @pile << [name, v.to_s] }
+      Array(value).each { |v| @pile << [name, validate_value(v)] }
     end
 
     # Returns list of header values if any.
@@ -209,5 +209,16 @@ def normalize_header(name)
 
       raise HeaderError, "Invalid HTTP header field name: #{name.inspect}"
     end
+
+    # Ensures there is no new line character in the header value
+    #
+    # @param [String] value
+    # @raise [HeaderError] if value includes new line character
+    # @return [String] stringified header value
+    def validate_value(value)
+      v = value.to_s
+      return v unless v.include?("\n")
+      raise HeaderError, "Invalid HTTP header field value: #{v.inspect}"
+    end
   end
 end
diff --git a/spec/lib/http/headers_spec.rb b/spec/lib/http/headers_spec.rb
@@ -41,6 +41,11 @@
           to raise_error HTTP::HeaderError
       end
     end
+
+    it "fails with invalid header value" do
+      expect { headers.set "foo", "bar\nEvil-Header: evil-value" }.
+        to raise_error HTTP::HeaderError
+    end
   end
 
   describe "#[]=" do
@@ -127,6 +132,11 @@
           to raise_error HTTP::HeaderError
       end
     end
+
+    it "fails with invalid header value" do
+      expect { headers.add "foo", "bar\nEvil-Header: evil-value" }.
+        to raise_error HTTP::HeaderError
+    end
   end
 
   describe "#get" do