[Issue 16174] New: [SECURITY] HTTP header injection
via Digitalmars-d-bugs
digitalmars-d-bugs at puremagic.com
Tue Jun 14 12:48:55 PDT 2016
https://issues.dlang.org/show_bug.cgi?id=16174
Issue ID: 16174
Summary: [SECURITY] HTTP header injection
Product: D
Version: D2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P1
Component: phobos
Assignee: nobody at puremagic.com
Reporter: cpicard at openmailbox.org
std.net.curl is vulnerable to HTTP header injection.
import std.stdio;
import std.net.curl;
void main(string[] args) {
auto http = HTTP("localhost:8000");
http.addRequestHeader("User-agent",
"Mozilla/5.0\x0d\x0aLocation: header injection");
http.onReceiveHeader =
(in char[] key, in char[] value) { writeln(key ~ ": " ~ value); };
http.onReceive = (ubyte[] data) { /+ drop +/ return data.length; };
http.perform();
}
What was sent:
GET / HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0
Location: header injection
Accept: */*
This flaw was discussed in length here https://bugs.python.org/issue22928 as
python's standard library was affected by the same vulnerability (although
there is no link).
The consensus that was found is that although allowing newlines in a user-agent
is RFC compliant it openning the door to security vulnerabilities is not
acceptable. Today python throws an exception when newlines are present in the
header.
--
More information about the Digitalmars-d-bugs
mailing list