mirror of
https://github.com/znc/znc.git
synced 2026-07-03 00:11:59 +02:00
HTTPSock: reject CR/LF in AddHeader name/value
AddHeader wrote its arguments straight into the response stream. No in-tree caller reaches it with attacker-controlled bytes today, but the public API is exposed to module authors; one bad caller would be a header-injection bug. Filter at the entry rather than at every caller.
This commit is contained in:
@@ -763,6 +763,13 @@ void CHTTPSock::SetContentType(const CString& sContentType) {
|
||||
}
|
||||
|
||||
void CHTTPSock::AddHeader(const CString& sName, const CString& sValue) {
|
||||
// Reject CR/LF in either half so we never emit a malformed header or
|
||||
// give a caller (e.g. a future module) a cheap response-splitting
|
||||
// primitive. No in-tree caller reaches this with attacker-controlled
|
||||
// bytes today; this is a defensive guard, not a fix for an existing
|
||||
// exploit.
|
||||
if (sName.find_first_of("\r\n") != CString::npos) return;
|
||||
if (sValue.find_first_of("\r\n") != CString::npos) return;
|
||||
m_msHeaders[sName] = sValue;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user