http: check reason chars in writeHead

Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated.  One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.

CVE-2016-5325

PR-URL: nodejs-private/node-private#48
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>

Author: evanlucas

lib/http.js

@@ -1233,6 +1233,9 @@ ServerResponse.prototype.writeHead = function(statusCode) {
   if (statusCode < 100 || statusCode > 999)
     throw new RangeError('Invalid status code: ' + statusCode);
 
+  if (_checkInvalidHeaderChar(reasonPhrase))
+    throw new Error('Invalid character in statusMessage.');
+
   var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' +
                    reasonPhrase + CRLF;
 

test/simple/test-http-status-reason-invalid-chars.js

@@ -0,0 +1,27 @@
+'use strict';
+
+var common = require('../common');
+var assert = require('assert');
+var http = require('http');
+
+var server = http.createServer(function(req, res) {
+  assert.throws(function() {
+    res.writeHead(200, 'OK\r\nContent-Type: text/html\r\n');
+  }, /Invalid character in statusMessage/);
+
+  assert.throws(function() {
+    res.writeHead(200, 'OK\u010D\u010AContent-Type: gotcha\r\n');
+  }, /Invalid character in statusMessage/);
+  res.end();
+}).listen(common.PORT, common.mustCall(function() {
+  var url = 'http://localhost:' + common.PORT;
+  var left = 1;
+  var check = common.mustCall(function(res) {
+    res.resume();
+    left--;
+    assert.notEqual(res.headers['content-type'], 'text/html');
+    assert.notEqual(res.headers['content-type'], 'gotcha');
+    if (left === 0) server.close();
+  }, 1);
+  http.get(url + '/explicit', check);
+}));