From 526e0ef4cbf88852f957506306aee51ff56e548f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 16 Mar 2022 23:12:28 +0100
Subject: [PATCH] http: reject header contents with nul bytes

They are not allowed by the protocol and allowing them risk that curl
misbehaves somewhere where C functions are used but won't work on the
full contents. Further, they are not supported by hyper and they cause
problems for the new coming headers API work.

Updated test 262 to verify and enabled it for hyper as well

Closes #8601
---
 lib/http.c         |   7 +++++++
 tests/data/test262 | Bin 1178 -> 1228 bytes
 2 files changed, 7 insertions(+)

diff --git a/lib/http.c b/lib/http.c
index 799d4fb457..bc030ddb7f 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -4283,6 +4283,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
       }
     }
 
+    end_ptr = memchr(headp, 0x00, Curl_dyn_len(&data->state.headerb));
+    if(end_ptr) {
+      /* this is bad, bail out */
+      failf(data, "Nul byte in header");
+      return CURLE_WEIRD_SERVER_REPLY;
+    }
+
     result = Curl_http_header(data, conn, headp);
     if(result)
       return result;
diff --git a/tests/data/test262 b/tests/data/test262
index 43994b05fe24a57c3343b0beebc76c08dcff3c32..d119d667232e016cfaadbc4c5b41b763408bf272 100644
GIT binary patch
delta 173
zc-ouAd4_XBCWk^^esV@?a`wjLYDVtF<dV|F9Nm<}lElr=8Tn8ICjVnnpX|&muNst^
zm6}|l;1LoMpiq=rT#%nvoT^ZsS(2fUl$n=URH;yvT9m)JmYIXmGqtEFzbH9BCDo2g
zH8V{iqp~2ih|7>mH8rO=mCFK1=cQz(aoOl2sk6~9OD)Pws|2x1Qj1HH6N`bO0Ft0O
A`~Uy|

delta 126
zc-lL|Ig4{b=Em|;M$VMPlEmbU)a2~V-x>LkxRV8#)uq!?6H7{qQj6`l6f-IdQj553
z^kG7iO_-IWJwieP6x>}y6v{J8G8B?B^Ad|H6{=E;@>7d9S2J@kit3l87G<VY+5t6|
Oq!yPXCl;sLaRC6<ttz4b

-- 
2.47.3