lib-http: http_client_request_add_header() - Add key/value asserts

These don't check that they're entirely correct as required by HTTP
specifications. They're mainly there as a quick check that if the caller
didn't validate the key/value in any way, we'll crash instead of creating
a potential security hole. (Because with line feeds the attacker could
add extra headers or even entirely new HTTP requests.)

diff --git a/src/lib-http/http-client-request.c b/src/lib-http/http-client-request.c
index 0071ebd260bca18781b90f5138f7db5a8edb80da..af463ca93e087c388987bf607aae641e5d2ca1a9 100644 (file)
--- a/src/lib-http/http-client-request.c
+++ b/src/lib-http/http-client-request.c
@@ -301,6 +301,9 @@ void http_client_request_add_header(struct http_client_request *req,
                 /* allow calling for retries */
                 req->state == HTTP_REQUEST_STATE_GOT_RESPONSE ||
                 req->state == HTTP_REQUEST_STATE_ABORTED);
+       /* make sure key or value can't break HTTP headers entirely */
+       i_assert(strpbrk(key, ":\r\n") == NULL);
+       i_assert(strpbrk(value, "\r\n") == NULL);
 
        /* mark presence of special headers */
        switch (key[0]) {