Raise an exception when a response header contains CR or LF

macournoyer · May 18, 2021 · 6c58953 · 6c58953
1 parent dd24bf5
commit 6c58953
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/lib/thin/headers.rb b/lib/thin/headers.rb
@@ -1,4 +1,8 @@
 module Thin
+  # Raised when an header is not valid
+  # and the server can not process it.
+  class InvalidHeader < StandardError; end
+
   # Store HTTP header name-value pairs direcly to a string
   # and allow duplicated entries on some names.
   class Headers
@@ -21,8 +25,10 @@ def []=(key, value)
         value = case value
                 when Time
                   value.httpdate
-                when NilClass, CR_OR_LF
+                when NilClass
                   return
+                when CR_OR_LF
+                  raise InvalidHeader, "Header contains CR or LF"
                 else
                   value.to_s
                 end

diff --git a/spec/headers_spec.rb b/spec/headers_spec.rb
@@ -44,17 +44,14 @@
   end
 
   it 'should not allow CRLF' do
-    @headers['Bad'] = "a\r\nSet-Cookie: injected=value"
-    expect(@headers.to_s).to be_empty
+    expect { @headers['Bad'] = "a\r\nSet-Cookie: injected=value" }.to raise_error(InvalidHeader)
   end
 
   it 'should not allow CR' do
-    @headers['Bad'] = "a\rSet-Cookie: injected=value"
-    expect(@headers.to_s).to be_empty
+    expect { @headers['Bad'] = "a\rSet-Cookie: injected=value" }.to raise_error(InvalidHeader)
   end
 
   it 'should not allow LF' do
-    @headers['Bad'] = "a\nSet-Cookie: injected=value"
-    expect(@headers.to_s).to be_empty
+    expect { @headers['Bad'] = "a\nSet-Cookie: injected=value" }.to raise_error(InvalidHeader)
   end
 end