Source: rust-http-types Version: 2.12.0-3 Severity: important Tags: security upstream Forwarded: https://github.com/http-rs/http-types/issues/534 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
From https://rustsec.org/advisories/RUSTSEC-2026-0174.html > Description > > Authorization::value uses HeaderValue::value with the claim that the > internal string is ASCII, but Authorization::new and > Authorization::set_credentials accept arbitrary String credentials > without validation. As a result, safe code can construct a header > value containing non-ASCII UTF-8 while the implementation assumes > ASCII. > > WwwAuthenticate::new and WwwAuthenticate::set_realm similarly > accepts arbitrary String input, so WwwAuthenticate::value can also > produce a header value that violates the crate’s documented ASCII > invariants. > > This issue has not been confirmed as Undefined Behavior, but the > unsafe justification in Authorization::value and > WwwAuthenticate::value appears incorrect and can produce values > outside the expected ASCII-only constraints. > > The http-types crate is unmaintained and the issue is unlikely to be > fixed. Given the last statement this is more about tracking. Can the package OTOH be worked towards beeing removed? Regards, Salvatore
