Panics with non-ASCII header value

[IVogel]

It panics due to lack of the string validity check in async-h1 and due to unwrap in http-types. Also, there is second unwrap that will panic if two fields with similar values exists, but second has valid UTF-8 string.

Minimal code for replication

#[async_std::main]
async fn main() -> tide::Result<()> {
    let mut app = tide::new();
    app.at("/").get( |_| async {
        Ok(tide::Response::new(200))
    });
    app.listen("0.0.0.0:8080").await?;
    Ok(())
}

Note, header value should be an valid UTF-8 string.

curl --header "Test: тест" http://0.0.0.0:8080
# or
curl --header "Test: test" --header "Test: тест" http://0.0.0.0:8088

Sorry if this is wrong repo. I don't really know to which repo this issue related to, because tide uses async-h1 which uses http-types. And I have got this error while using tide.

[yoshuawuyts]

Thanks for raising this! You're right we should probably remove the unwraps from both those locations. Unfortunately HTTP headers are required to be ASCII to reliably work (see this SO question), so that restriction cannot go away. But on our end we should make it so that we don't unwrap within http-types.

Tasks

• change signature of {Request,Response,Headers}::append to return Result
• change signature of {Request,Response,Headers}::insert to return Result

[IVogel]

Thanks for your reply. Yes, I know that headers should be all in ASCII. Wrote this because yesterday somebody has crashed my auth server. ¯\_( :| )_/¯ Looking forward to updates.

But for now, I'll just drop these non-ASCII headers.