[I] Validate against CR/LF characters in HTTP header values (tooling-trusted-releases)

Tue, 27 Jan 2026 13:30:49 -0800 


andrewmusselman opened a new issue, #602:
URL: https://github.com/apache/tooling-trusted-releases/issues/602

   ## Summary
   
   The `HeaderValue` class validates against double quotes and null bytes but 
fails to validate against carriage return (`\r`) and line feed (`\n`) 
characters, which are the basis for HTTP response splitting attacks.
   
   ## ASVS Requirements
   
   - 1.2.1 - Verify that output encoding prevents injection attacks
   
   ## Related Audit Reports
   
   - [1.2.1.md](ASVS/reports/44ee502/L1/1.2.1.md) - ASVS-121-MED-001
   
   ## Affected Files
   
   - `atr/web.py` - `HeaderValue.__init__()` (lines 153-166)
   
   ## Current Behavior
   
   ```python
   class HeaderValue:
       def __init__(self, text: str) -> None:
           if '"' in text:
               raise ValueError(f"Header value cannot contain quotes: {text}")
           if "\x00" in text:
               raise ValueError(f"Header value cannot contain null: {text}")
           # MISSING: No CR/LF validation
           self.text = text
   ```
   
   ## Risk
   
   - HTTP response splitting attacks
   - Header injection
   - Cache poisoning
   - Session fixation via injected Set-Cookie headers
   
   ## Recommended Fix
   
   ```python
   class HeaderValue:
       def __init__(self, text: str) -> None:
           if '"' in text:
               raise ValueError(f"Header value cannot contain quotes: {text}")
           if "\x00" in text:
               raise ValueError(f"Header value cannot contain null: {text}")
           if "\r" in text or "\n" in text:
               raise ValueError(f"Header value cannot contain CR/LF characters: 
{text}")
           self.text = text
   ```
   
   ## Acceptance Criteria
   
   - [ ] CR (`\r`) character validation added
   - [ ] LF (`\n`) character validation added
   - [ ] Test cases for header injection attempts
   - [ ] Error messages don't leak sensitive information


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to