Skip to content

security: sanitize HTTP response headers to prevent response splitting #472

Description

@t0k0sh1

Summary

The HTTP client path filters CRLF in outbound request headers, but the server response path currently accepts and emits header keys and values without equivalent sanitization.

Problem

  • src/runtime_http.cpp copies response header keys and values from the provided map into the response object.
  • The serialized HTTP response writes those headers directly to the wire.
  • There is no rejection or normalization for CRLF in response header names or values.

Security Impact

If application code reflects attacker-controlled input into response headers, CRLF injection can enable HTTP response splitting or header injection.

Goals

  • Reject or sanitize response header names and values containing CR or LF.
  • Keep behavior consistent with the existing client-side request header hardening.
  • Add tests covering malicious header input.

Acceptance Criteria

  • Responses cannot emit attacker-controlled extra header lines via embedded CRLF.
  • Safe headers continue to behave as before.
  • Tests cover both rejection and normal header serialization behavior.

Notes

Relevant area:

  • src/runtime_http.cpp

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions