scotty
scotty copied to clipboard
Disallow `\r\n` in Header text
As the following program illustrates, it is possible to set more than one HTTP header by passing a string containing \r\n
to setHeader
, possibly leading to duplicate headers:
{-# LANGUAGE OverloadedStrings #-}
import Web.Scotty
main = scotty 7000 $ get "/" $ do
addHeader "X-Foo" "Hey\r\nContent-Type: bla"
text "..."
$ curl -i 'http://localhost:7000'
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 22 May 2014 20:05:28 GMT
Server: Warp/2.1.5.1
Content-Type: text/plain
X-Foo: Hey
Content-Type: bla
...
Of course, data should ideally be sanitized before it reaches all they way to setHeader
, but it would nonetheless be good to disallow this at the setHeader
level, or possibly even lower-level than that.