okhttp icon indicating copy to clipboard operation
okhttp copied to clipboard

Published 20 hours ago verified publisher icon square

Test to confirm that header names are not trimmed

Open swankjesse opened this issue 4 years ago • 3 comments

This caused the Go folks some grief. It doesn’t impact us as much (clients control which servers they contact), but it’s good to be careful.

https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q

swankjesse avatar Sep 26 '19 13:09 swankjesse

Seems awkward

https://github.com/1184893257/okhttp/blob/master/okhttp-tests/src/test/java/com/squareup/okhttp/internal/http/HeadersTest.java#L136

  @Test public void ofTrims() {
    Headers headers = Headers.of("\t User-Agent \n", " \r OkHttp ");
    assertEquals("User-Agent", headers.name(0));
    assertEquals("OkHttp", headers.value(0));
  }

https://github.com/1184893257/okhttp/blob/master/okhttp-tests/src/test/java/com/squareup/okhttp/internal/http/HeadersTest.java#L262

  @Test public void ofMapTrimsKey() {
    Headers headers = Headers.of(singletonMap(" User-Agent ", "OkHttp"));
    assertThat(headers.name(0)).isEqualTo("User-Agent");
  }

yschimke avatar Apr 12 '20 13:04 yschimke

@swankjesse Are you happy that we change the behaviour and tests here? Fix is simple if so, and we just publicise it in our release.

yschimke avatar May 15 '20 09:05 yschimke

Unclear what action we should take. Note that there’s another potential attack on response headers.

swankjesse avatar May 15 '20 21:05 swankjesse