headers: etag: reject invalid characters

ririsoft · ririsoft · commit 0f26be19abb4 · 2020-08-26T08:39:56.000+02:00
rfc7232 specifies a valid set of ASCII characters
that etag headers should match.
diff --git a/src/conditional/etag.rs b/src/conditional/etag.rs
@@ -84,6 +84,16 @@ impl ETag {
             }
         };
 
+        if !s
+            .bytes()
+            .all(|c| c == 0x21 || (c >= 0x23 && c <= 0x7E) || c >= 0x80)
+        {
+            return Err(Error::from_str(
+                StatusCode::BadRequest,
+                "Invalid ETag header",
+            ));
+        }
+
         let etag = if weak { Self::Weak(s) } else { Self::Strong(s) };
         Ok(Some(etag))
     }
@@ -180,4 +190,11 @@ mod test {
         let err = ETag::from_headers(headers).unwrap_err();
         assert_eq!(format!("{}", err), msg);
     }
+
+    #[test]
+    fn validate_characters() -> crate::Result<()> {
+        assert_entry_err(r#"""hello""#, "Invalid ETag header");
+        assert_entry_err("\"hello\x7F\"", "Invalid ETag header");
+        Ok(())
+    }
 }
