Change #269895
| Category | None |
| Changed by | alhudz <al.hudz.k@gmail.com> |
| Changed at | Mon 08 Jun 2026 13:56:10 |
| Repository | https://api.github.com/repos/curl/curl |
| Project | curl/curl |
| Branch | master |
| Revision | 7de0a7e71aad984cb7f514fb2987662e2fe8115e |
Comments
chunked: reject invalid bytes in trailer Trailers are delivered to the application as headers via CLIENTWRITE_TRAILER, but unlike regular response headers they skipped the verify_header() checks, so a server could smuggle a nul byte (or stray CR) into a header reaching CURLOPT_HEADERFUNCTION and curl_easy_header(). Run each assembled trailer line through Curl_verify_header(), the same validation used for normal headers. Covered by the new test 2106. Closes #21896
Changed files
- lib/http.c
- lib/http.h
- lib/http_chunks.c
- tests/data/Makefile.am
- tests/data/test2106