Summary
The HTTP client path filters CRLF in outbound request headers, but the server response path currently accepts and emits header keys and values without equivalent sanitization.
Problem
src/runtime_http.cpp copies response header keys and values from the provided map into the response object.
- The serialized HTTP response writes those headers directly to the wire.
- There is no rejection or normalization for CRLF in response header names or values.
Security Impact
If application code reflects attacker-controlled input into response headers, CRLF injection can enable HTTP response splitting or header injection.
Goals
- Reject or sanitize response header names and values containing CR or LF.
- Keep behavior consistent with the existing client-side request header hardening.
- Add tests covering malicious header input.
Acceptance Criteria
- Responses cannot emit attacker-controlled extra header lines via embedded CRLF.
- Safe headers continue to behave as before.
- Tests cover both rejection and normal header serialization behavior.
Notes
Relevant area:
Summary
The HTTP client path filters CRLF in outbound request headers, but the server response path currently accepts and emits header keys and values without equivalent sanitization.
Problem
src/runtime_http.cppcopies response header keys and values from the provided map into the response object.Security Impact
If application code reflects attacker-controlled input into response headers, CRLF injection can enable HTTP response splitting or header injection.
Goals
Acceptance Criteria
Notes
Relevant area:
src/runtime_http.cpp