[io]: HTTP header parser accepts many invalid characters within header names #59846
Description
In RFC 9110, the allowable characters within a header name are
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
"^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
dart:io does not enforce this rule. The following characters are incorrectly accepted:
\x00 \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x0b \x0c \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x22 \x28 \x29 \x2c \x2f \x3a \x3b \x3c \x3d \x3e \x3f \x40 \x5b \x5c \x5d \x7b \x7d \x7f \x80 \x81 \x82 \x83 \x84 \x85 \x86 \x87 \x88 \x89 \x8a \x8b \x8c \x8d \x8e \x8f \x90 \x91 \x92 \x93 \x94 \x95 \x96 \x97 \x98 \x99 \x9a \x9b \x9c \x9d \x9e \x9f \xa0 \xa1 \xa2 \xa3 \xa4 \xa5 \xa6 \xa7 \xa8 \xa9 \xaa \xab \xac \xad \xae \xaf \xb0 \xb1 \xb2 \xb3 \xb4 \xb5 \xb6 \xb7 \xb8 \xb9 \xba \xbb \xbc \xbd \xbe \xbf \xc0 \xdb \xdc \xdd \xde \xdf \xe0 \xe1 \xe2 \xe3 \xe4 \xe5 \xe6 \xe7 \xe8 \xe9 \xea \xeb \xec \xed \xee \xef \xf0 \xf1 \xf2 \xf3 \xf4 \xf5 \xf6 \xf7 \xf8 \xf9 \xfa \xfb \xfc \xfd \xfe \xff
Of particular note is that NUL and some whitespace characters (\x0b) are in this list. This can cause issues with upstream proxies.
$ dart info
...
- Dart 3.6.0-edge.3cc6105316be32e2d48b1b9b253247ad4fc89698 (main) (Fri Aug 30 22:53:32 2024 +0000) on "linux_x64"
- on linux / Linux 6.10.2-arch1-2 #1 SMP PREEMPT_DYNAMIC Sat, 03 Aug 2024 17:56:17 +0000
- locale is en_US