Skip to content

[WinHTTP] Validate header values for ASCII #115112

New issue
New issue
Closed
Closed
[WinHTTP] Validate header values for ASCII#115112
Assignees
ManickaP
Labels
area-System.Net.HttpenhancementProduct code improvement that does NOT require public API changes/additions
Milestone
10.0.0
@ManickaP

Description

@ManickaP
ManickaP
opened on Apr 28, 2025

We pass headers to WinHTTP.dll without any validation of their values:

runtime/src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

Line 742 in cc37009

requestHeadersBuffer.AppendLine(requestMessage.Headers.ToString());

We should validate the values to be well-formed the same way as SocketsHttpHandler does:

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnection.cs

Line 509 in a37502b

OperationStatus status = Ascii.FromUtf16(s, buffer, out int bytesWritten);

I.e. For ASCII chars.

See RFC for header values: https://www.rfc-editor.org/rfc/rfc9110.html#name-field-values

Note: it allows up to the full byte to allow encoding like Latin-1 for historical purposes.

Metadata

Metadata

Assignees

Labels

area-System.Net.HttpenhancementProduct code improvement that does NOT require public API changes/additions

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions