On Mon, 29 Jan 2024, Stephen Booth via curl-library wrote:
A sanity check in curl would have helped me find the problem but it sounds like there are reasons I'm not aware of for not attempting any validation.
In the early days of supporting custom HTTP headers, I know some users provided headers like "header: foobar\nheader2:" when that was the only way to provide a content-less header. In some even worse cases, more or less a full request was manually crafted that way.
Know that, I have always been a little hesitant to add a check or to filter off newlines from these headers as I fear it will break a number of legacy use cases.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
