From: Willy Tarreau <w@1wt.eu>
Date: Tue, 26 May 2026 11:49:49 +0000 (+0200)
Subject: BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers
X-Git-Tag: v3.4-dev14~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b46307203267a7c15c86190a53877703945f8d56;p=thirdparty%2Fhaproxy.git

BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers

hlua_http_add_hdr() passes Lua string values directly to htx_add_header()
without validation. This can be an issue for user-controlled data, but as
well when relying on poorly written scripts. This patch makes sure that
neither the name nor the value may contain any of these forbidden chars.

This should be backported to all versions since the issue has been there
since at least 2.4.
---

diff --git a/src/hlua.c b/src/hlua.c
index b87b587e4..2e06fffa5 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -6709,6 +6709,20 @@ __LJMP static inline int hlua_http_add_hdr(lua_State *L, struct http_msg *msg)
 	size_t value_len;
 	const char *value = MAY_LJMP(luaL_checklstring(L, 3, &value_len));
 	struct htx *htx = htxbuf(&msg->chn->buf);
+	size_t i;
+
+	/* Reject header values containing CR/LF/NUL to prevent HTTP header
+	 * injection on HTTP/1 output.
+	 */
+	for (i = 0; i < name_len; i++) {
+		if (name[i] == 0 || name[i] == '\r' || name[i] == '\n')
+			WILL_LJMP(lua_error(L));
+	}
+
+	for (i = 0; i < value_len; i++) {
+		if (value[i] == 0 || value[i] == '\r' || value[i] == '\n')
+			WILL_LJMP(lua_error(L));
+	}
 
 	lua_pushboolean(L, http_add_header(htx, ist2(name, name_len),
 					   ist2(value, value_len), 1));