BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers

hlua_http_add_hdr() passes Lua string values directly to htx_add_header()
without validation. This can be an issue for user-controlled data, but as
well when relying on poorly written scripts. This patch makes sure that
neither the name nor the value may contain any of these forbidden chars.

This should be backported to all versions since the issue has been there
since at least 2.4.

diff --git a/src/hlua.c b/src/hlua.c
index b87b587e4702f50751685c9ec49554d3e3204af9..2e06fffa587f0cde195a49e012b3df9ba7e433aa 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -6709,6 +6709,20 @@ __LJMP static inline int hlua_http_add_hdr(lua_State *L, struct http_msg *msg)
        size_t value_len;
        const char *value = MAY_LJMP(luaL_checklstring(L, 3, &value_len));
        struct htx *htx = htxbuf(&msg->chn->buf);
+       size_t i;
+
+       /* Reject header values containing CR/LF/NUL to prevent HTTP header
+        * injection on HTTP/1 output.
+        */
+       for (i = 0; i < name_len; i++) {
+               if (name[i] == 0 || name[i] == '\r' || name[i] == '\n')
+                       WILL_LJMP(lua_error(L));
+       }
+
+       for (i = 0; i < value_len; i++) {
+               if (value[i] == 0 || value[i] == '\r' || value[i] == '\n')
+                       WILL_LJMP(lua_error(L));
+       }
 
        lua_pushboolean(L, http_add_header(htx, ist2(name, name_len),
                                           ist2(value, value_len), 1));