ebddeca11d (master): [ruby/net-http] Reject control characters and colon in header field names
0 views
Skip to first unread message
Hiroshi SHIBATA
Jun 9, 2026, 9:51:23 PM (11 hours ago) Jun 9
to ruby...@g.ruby-lang.org
Hiroshi SHIBATA 2026-06-10 00:58:06 +0000 (Wed, 10 Jun 2026)
New Revision: ebddeca11d
https://github.com/ruby/ruby/commit/ebddeca11d
Log:
[ruby/net-http] Reject control characters and colon in header field names
Field values and the request line are already validated against CR/LF,
but field names were interpolated into the request as-is, allowing
header injection via the key. Validate names in set_field and
initialize_http_header, which cover all paths into @header with a
user-supplied key.
https://github.com/ruby/net-http/commit/4f13ea5047
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/header.rb
test/net/http/test_httpheader.rb
New Revision: ebddeca11d
https://github.com/ruby/ruby/commit/ebddeca11d
Log:
[ruby/net-http] Reject control characters and colon in header field names
Field values and the request line are already validated against CR/LF,
but field names were interpolated into the request as-is, allowing
header injection via the key. Validate names in set_field and
initialize_http_header, which cover all paths into @header with a
user-supplied key.
https://github.com/ruby/net-http/commit/4f13ea5047
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/header.rb
test/net/http/test_httpheader.rb
Reply all
Reply to author
Forward
0 new messages