• via Digitalmars-d-bugs (39/39) Jun 14 2016 https://issues.dlang.org/show_bug.cgi?id=16174

via Digitalmars-d-bugs <digitalmars-d-bugs puremagic.com> writes:

https://issues.dlang.org/show_bug.cgi?id=16174

          Issue ID: 16174
           Summary: [SECURITY] HTTP header injection
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: phobos
          Assignee: nobody puremagic.com
          Reporter: cpicard openmailbox.org

std.net.curl is vulnerable to HTTP header injection.

    import std.stdio;
    import std.net.curl;

    void main(string[] args) {
        auto http = HTTP("localhost:8000");
        http.addRequestHeader("User-agent",
                              "Mozilla/5.0\x0d\x0aLocation: header injection");
        http.onReceiveHeader =
            (in char[] key, in char[] value) { writeln(key ~ ": " ~ value); };
        http.onReceive = (ubyte[] data) { /+ drop +/ return data.length; };
        http.perform();
    }

What was sent:

    GET / HTTP/1.1
    Host: localhost:8000
    User-Agent: Mozilla/5.0
    Location: header injection
    Accept: */*

This flaw was discussed in length here https://bugs.python.org/issue22928 as
python's standard library was affected by the same vulnerability (although
there is no link).

The consensus that was found is that although allowing newlines in a user-agent
is RFC compliant it openning the door to security vulnerabilities is not
acceptable. Today python throws an exception when newlines are present in the
header.

--