scotty icon indicating copy to clipboard operation
scotty copied to clipboard

Published 20 hours ago verified publisher icon scotty-web

Disallow `\r\n` in Header text

Open ehamberg opened this issue 10 years ago • 6 comments

As the following program illustrates, it is possible to set more than one HTTP header by passing a string containing \r\n to setHeader, possibly leading to duplicate headers:

{-# LANGUAGE OverloadedStrings #-}

import Web.Scotty

main = scotty 7000 $ get "/" $ do
         addHeader "X-Foo" "Hey\r\nContent-Type: bla"
         text "..."

$ curl -i 'http://localhost:7000'
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 22 May 2014 20:05:28 GMT
Server: Warp/2.1.5.1
Content-Type: text/plain
X-Foo: Hey
Content-Type: bla

...

Of course, data should ideally be sanitized before it reaches all they way to setHeader, but it would nonetheless be good to disallow this at the setHeader level, or possibly even lower-level than that.

ehamberg avatar May 22 '14 20:05 ehamberg