@@ -647,3 +647,46 @@ used to populate the headers of an HTTP message.
647647* Anton Serdyuk
648648* Phil Sturgeon
649649* Chris Wilkinson
650+
651+ ## 7. Errata
652+
653+ ### 7.1 Validation of Header Names and Values
654+
655+ Some special characters within the name or value of an HTTP header might affect
656+ the parsing of the serialized message in a way that the contents of unrelated
657+ headers are changed. This misparsing can open up an application to security
658+ vulnerabilities. A common type of vulnerability is CRLF injection, allowing
659+ an attacker to inject additional headers or end the list of headers early.
660+
661+ For this reason classes implementing the ` MessageInterface ` SHOULD strictly
662+ validate the header names and contents according to the most recent HTTP
663+ specification ([ RFC 7230 #3 ] [ 1 ] at the time of writing). Incorrect values
664+ SHOULD be rejected and no attempt SHOULD be made to automatically correct
665+ the provided values.
666+
667+ A minimally viable validator is expected to reject header names containing the
668+ following characters:
669+
670+ - NUL (0x00)
671+ - ` \r ` (0x0D)
672+ - ` \n ` (0x0A)
673+ - Any character less than or equal to 0x20.
674+
675+ Further characters or sequences in header names should be rejected according
676+ to the HTTP specification.
677+
678+ A minimally viable validator is expected to reject header values containing the
679+ following characters:
680+
681+ - NUL (0x00)
682+ - ` \r ` (0x0D)
683+ - ` \n ` (0x0A)
684+
685+ If compatibility with older systems is desired then the sequence ` \r\n ` (0x0D0A)
686+ within a header value may be accepted, if and only if it is preceded by either
687+ SPACE (0x20) or ` \t ` (0x09).
688+
689+ Further characters or sequences in header values should be rejected according
690+ to the HTTP specification.
691+
692+ [ 1 ] : https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
0 commit comments