6f3e462182 (master): [ruby/net-http] Validate header key and field value length in set_field
0 views
Skip to first unread message
Hiroshi SHIBATA
3:02 AM (6 hours ago) 3:02 AM
to ruby...@g.ruby-lang.org
Hiroshi SHIBATA 2026-06-10 02:14:11 +0000 (Wed, 10 Jun 2026)
New Revision: 6f3e462182
https://github.com/ruby/ruby/commit/6f3e462182
Log:
[ruby/net-http] Validate header key and field value length in set_field
The length limits only ran in initialize_http_header, which responses
bypass: each_response_header builds the response through add_field and
set_field, so an oversized response header field was never bounded. Check
the field value length in set_field and append_field_value, and fold the
key length check into validate_field_name so set_field and
initialize_http_header share one place for validating field names.
https://github.com/ruby/net-http/commit/ab084fdc0c
Co-authored-by: Yusuke Endoh <ma...@ruby-lang.org>
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/header.rb
test/net/http/test_httpheader.rb
New Revision: 6f3e462182
https://github.com/ruby/ruby/commit/6f3e462182
Log:
[ruby/net-http] Validate header key and field value length in set_field
The length limits only ran in initialize_http_header, which responses
bypass: each_response_header builds the response through add_field and
set_field, so an oversized response header field was never bounded. Check
the field value length in set_field and append_field_value, and fold the
key length check into validate_field_name so set_field and
initialize_http_header share one place for validating field names.
https://github.com/ruby/net-http/commit/ab084fdc0c
Co-authored-by: Yusuke Endoh <ma...@ruby-lang.org>
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/header.rb
test/net/http/test_httpheader.rb
Reply all
Reply to author
Forward
0 new messages