Skip to content

Do not allow CRLF in headers #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

Do not allow CRLF in headers #932

merged 1 commit into from
Oct 17, 2025
+47 −3

Conversation

@KernelDeimos
Copy link
Contributor

@KernelDeimos KernelDeimos commented Oct 17, 2025

While the underlying HTTP server does in fact throw an error when the response will have invalid HTTP headers, this happens at runtime at the time of the first request rather than immediately after the process is started. This should be considered a fatal configuration error, causing the process to exit immediately.

Relevant issues
Contributor checklist
  • Provide tests for the changes (unless documentation-only)
  • Documented any new features, CLI switches, etc. (if applicable)
    • Server --help output
    • README.md
    • doc/http-server.1 (use the same format as other entries)
  • The pull request is being made against the master branch
Maintainer checklist
  • Assign a version triage tag
  • Approve tests if applicable

@KernelDeimos
Do not allow CRLF in headers
8d0e1ff 
While the underlying HTTP server does in fact throw an error when the
response will have invalid HTTP headers, this happens at runtime at the
time of the first request rather than immediately after the process is
started. This should be considered a fatal configuration error, causing
the process to exit immediately.
@KernelDeimos KernelDeimos mentioned this pull request Oct 17, 2025
Open
@KernelDeimos KernelDeimos merged commit 9c20674 into master Oct 17, 2025
15 checks passed
@JLLeitschuh
Copy link

JLLeitschuh commented Oct 20, 2025
edited
Loading

Is this fixing a security vulnerability? If so, it should probably have a CVE number assigned to it. Thoughts?

rafiibrahim8 pushed a commit to rafiibrahim8/http-server that referenced this pull request Oct 25, 2025
@KernelDeimos @rafiibrahim8
Do not allow CRLF in headers (http-party#932)
e6a02e1 
While the underlying HTTP server does in fact throw an error when the
response will have invalid HTTP headers, this happens at runtime at the
time of the first request rather than immediately after the process is
started. This should be considered a fatal configuration error, causing
the process to exit immediately.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KernelDeimos @JLLeitschuh