lib-http: http_client_request_add_header() - Add key/value asserts

These don't check that they're entirely correct as required by HTTP
specifications. They're mainly there as a quick check that if the caller
didn't validate the key/value in any way, we'll crash instead of creating
a potential security hole. (Because with line feeds the attacker could
add extra headers or even entirely new HTTP requests.)

diff --git a/src/lib-http/http-client-request.c b/src/lib-http/http-client-request.c
index 6b6cf10366fe99de9895af216be268336376a00b..f4af334aedbe4f9b76c034a7b65aec978b7c7126 100644 (file)
--- a/src/lib-http/http-client-request.c
+++ b/src/lib-http/http-client-request.c
@@ -301,6 +301,9 @@ void http_client_request_add_header(struct http_client_request *req,
                 /* allow calling for retries */
                 req->state == HTTP_REQUEST_STATE_GOT_RESPONSE ||
                 req->state == HTTP_REQUEST_STATE_ABORTED);
+       /* make sure key or value can't break HTTP headers entirely */
+       i_assert(strpbrk(key, ":\r\n") == NULL);
+       i_assert(strpbrk(value, "\r\n") == NULL);
 
        /* mark presence of special headers */
        switch (key[0]) {