[io] Fix a bug where NUL was allowed in HTTP headers.

Bug:#56636
Change-Id: I88c579cfaaf0884cb3b582084b8739b060d8f439
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/402541
Reviewed-by: Alexander Aprelev <[email protected]>
Commit-Queue: Brian Quinlan <[email protected]>

Author: brianquinlan

CHANGELOG.md

@@ -223,6 +223,11 @@ AOT snapshot can be used as follows to run DDC <dart-sdk>/bin/dartaotruntime
   release. Users should migrate to using `dart:js_interop` and `package:web`.
   See [#59716][].
 
+#### `dart:io`
+
+- `HttpException` will be thrown by `HttpClient` and `HttpServer` if a `NUL`
+  (`0x00`) appears in a received HTTP header value.
+
 #### `dart:svg`
 
 - `dart:svg` is marked deprecated and will be removed in an upcoming release.

sdk/lib/_http/http_parser.dart

@@ -683,7 +683,7 @@ class _HttpParser extends Stream<_HttpIncoming> {
             _state = _State.HEADER_VALUE_FOLD_OR_END;
           } else if (byte != _CharCode.SP && byte != _CharCode.HT) {
             // Start of new header value.
-            _addWithValidation(_headerValue, byte);
+            _addToHeaderValueWithValidation(_headerValue, byte);
             _state = _State.HEADER_VALUE;
           }
           break;
@@ -694,7 +694,7 @@ class _HttpParser extends Stream<_HttpIncoming> {
           } else if (byte == _CharCode.LF) {
             _state = _State.HEADER_VALUE_FOLD_OR_END;
           } else {
-            _addWithValidation(_headerValue, byte);
+            _addToHeaderValueWithValidation(_headerValue, byte);
           }
           break;
 
@@ -710,7 +710,7 @@ class _HttpParser extends Stream<_HttpIncoming> {
             // prior to interpreting the field value or forwarding the
             // message downstream."
             // See https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
-            _addWithValidation(_headerValue, _CharCode.SP);
+            _addToHeaderValueWithValidation(_headerValue, _CharCode.SP);
             _state = _State.HEADER_VALUE_START; // Strips leading whitespace.
           } else {
             String headerField = String.fromCharCodes(_headerField);
@@ -1117,6 +1117,16 @@ class _HttpParser extends Stream<_HttpIncoming> {
     }
   }
 
+  void _addToHeaderValueWithValidation(List<int> list, int byte) {
+    // From RFC-9110:
+    // Field values containing CR, LF, or NUL characters are invalid and
+    // dangerous.
+    if (byte == 0 || byte == _CharCode.LF || byte == _CharCode.CR) {
+      throw HttpException("Illegal value $byte in HTTP header");
+    }
+    _addWithValidation(list, byte);
+  }
+
   void _addWithValidation(List<int> list, int byte) {
     _headersReceivedSize++;
     if (_headersReceivedSize < _headerTotalSizeLimit) {