Skip to content

[WinHTTP] Validate header values for ASCII #16

New issue
New issue
Open
Open
[WinHTTP] Validate header values for ASCII#16
@ManickaP

Description

@ManickaP
ManickaP
opened on Jun 2, 2025

We pass headers to WinHTTP.dll without any validation of their values:
https://github.com/dotnet/runtime/blob/cc3700953542b96052f73fc7ee259994692575cf/src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs#L742
We should validate the values to be well-formed the same way as SocketsHttpHandler does:
https://github.com/dotnet/runtime/blob/a37502bc5f33765413118a4f1b888c79c403a809/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnection.cs#L509

I.e. For ASCII chars.

See RFC for header values: https://www.rfc-editor.org/rfc/rfc9110.html#name-field-values

Note: it allows up to the full byte to allow encoding like Latin-1 for historical purposes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions