Skip to content

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted (#16861)#16863

Merged
normanmaurer merged 1 commit into
5.0from
h1_5
Jun 1, 2026
Merged

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted (#16861)#16863
normanmaurer merged 1 commit into
5.0from
h1_5

Conversation

@normanmaurer

Copy link
Copy Markdown
Member

Motivation:
RFC 9112 permit empty lines (CR LF sequences) prior to the request line,
but we were skipping over any ISO control characters.
This is parsing leniency beyond what the standard mandates and can be a
security liability.

Modification:
Expand the scope of the "strict line parsing" decoder configuration
option to also include enforcing that any octets prior to the initial
line can only be the line separators CR LF.

Result:
Strict line parsing covers more cases.

Co-authored-by: Chris Vest christianvest_hansen@apple.com

…y initial CRLF characters are permitted (#16861)

Motivation:
RFC 9112 permit empty lines (CR LF sequences) prior to the request line,
but we were skipping over any ISO control characters.
This is parsing leniency beyond what the standard mandates and can be a
security liability.

Modification:
Expand the scope of the "strict line parsing" decoder configuration
option to also include enforcing that any octets prior to the initial
line can only be the line separators CR LF.

Result:
Strict line parsing covers more cases.

Co-authored-by: Chris Vest <christianvest_hansen@apple.com>
@normanmaurer normanmaurer merged commit 0896443 into 5.0 Jun 1, 2026
13 checks passed
@normanmaurer normanmaurer deleted the h1_5 branch June 1, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant