This is an automated email from the ASF dual-hosted git repository.
shreemaanabhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 5ca771557 fix(fw-auth): disallow control characters in headers (#13057)
5ca771557 is described below
commit 5ca771557f2cea60bb76dbf6a2b109866888b1a2
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Tue Mar 3 16:38:58 2026 +0545
fix(fw-auth): disallow control characters in headers (#13057)
---
apisix-master-0.rockspec | 2 +-
t/admin/routes4.t | 3 ++-
t/plugin/forward-auth.t | 31 ++++++++++++++++++++++++++++++-
3 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/apisix-master-0.rockspec b/apisix-master-0.rockspec
index 582cb8538..7da2b0832 100644
--- a/apisix-master-0.rockspec
+++ b/apisix-master-0.rockspec
@@ -36,7 +36,7 @@ dependencies = {
"api7-lua-resty-dns-client = 7.1.0-0",
"lua-resty-template = 2.0-1",
"lua-resty-etcd = 1.10.6-0",
- "api7-lua-resty-http = 0.2.2-0",
+ "api7-lua-resty-http = 0.2.3-0",
"lua-resty-balancer = 0.05-0",
"lua-resty-ngxvar = 0.5.2-0",
"lua-resty-jit-uuid = 0.0.7-2",
diff --git a/t/admin/routes4.t b/t/admin/routes4.t
index 8ae024b8b..9405ddf42 100644
--- a/t/admin/routes4.t
+++ b/t/admin/routes4.t
@@ -482,7 +482,8 @@ passed
httpc:connect(ngx.var.server_addr, ngx.var.server_port)
local res, err = httpc:request(
{
- path = '/apisix/admin/routes/1?ttl=1',
+ path = '/apisix/admin/routes/1',
+ query = { ttl = 1 },
method = "GET",
}
)
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
index ed74dc533..450bece82 100644
--- a/t/plugin/forward-auth.t
+++ b/t/plugin/forward-auth.t
@@ -338,6 +338,24 @@ property "request_method" validation failed: matches none
of the enum values
"upstream_id": "u1",
"uri": "/ping3"
}]]
+ },
+ {
+ url = "/apisix/admin/routes/11",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/auth";,
+ "request_method": "GET",
+ "request_headers": ["Authorization"],
+ "extra_headers": {"X-User": "$arg_user"}
+ },
+ "proxy-rewrite": {
+ "uri": "/echo"
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/crlf"
+ }]]
}
}
@@ -350,7 +368,7 @@ property "request_method" validation failed: matches none
of the enum values
}
}
--- response_body eval
-"passed\n" x 12
+"passed\n" x 13
@@ -489,3 +507,14 @@ GET /ping3
Authorization: 888
--- response_body_like eval
qr/\"x-user-id\":\"i-am-an-user\"/
+
+
+
+=== TEST 16: block CRLF header injection
+--- request
+GET /crlf?user=guest%0d%0ax-user1:%20admin
+--- more_headers
+Authorization: 111
+--- error_code: 403
+--- error_log
+failed to process forward auth, err: invalid characters found in header value,
