fix#1165: sanitize header values to prevent injection and add helloworld_inject example (#1167)

notfresh · web-flow · commit 0e9aa2e5bdb6 · 2026-03-27T08:42:36.000+01:00
diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt
@@ -7,6 +7,10 @@ add_executable(helloworld helloworld.cpp)
 add_warnings_optimizations(helloworld)
 target_link_libraries(helloworld PUBLIC Crow::Crow)
 
+add_executable(helloworld_inject helloworld_inject.cpp)
+add_warnings_optimizations(helloworld_inject)
+target_link_libraries(helloworld_inject PUBLIC Crow::Crow)
+
 # If compression is enabled, the example will be built
 if("compression" IN_LIST CROW_FEATURES)
   add_executable(example_compression example_compression.cpp)
diff --git a/examples/helloworld_inject.cpp b/examples/helloworld_inject.cpp
@@ -0,0 +1,16 @@
+#include "crow.h"
+
+int main()
+{
+    crow::SimpleApp app;
+
+    CROW_ROUTE(app, "/")
+    ([](const crow::request &req, crow::response& res) {
+        res.write("Hello, world!");
+        res.set_header("X-Custom", "safe\r\nInjected: yes");
+        res.end();
+        //return "Hello, world!";
+    });
+
+    app.port(18080).run();
+}
diff --git a/include/crow/http_request.h b/include/crow/http_request.h
@@ -9,6 +9,8 @@
 #include <asio.hpp>
 #endif
 
+#include <algorithm>
+
 #include "crow/common.h"
 #include "crow/ci_map.h"
 #include "crow/query_string.h"
@@ -19,6 +21,14 @@ namespace crow // NOTE: Already documented in "crow/app.h"
     namespace asio = boost::asio;
 #endif
 
+    /// Remove CR (\r) and LF (\n) characters from a header name or value to prevent header injection.
+    inline void sanitize_header_value(std::string& s)
+    {
+        s.erase(std::remove_if(s.begin(), s.end(),
+                               [](char c) { return c == '\r' || c == '\n'; }),
+                s.end());
+    }
+
     /// Find and return the value associated with the key. (returns an empty string if nothing is found)
     inline const std::string& get_header_value(const ci_map& headers, const std::string& key)
     {
@@ -63,6 +73,8 @@ namespace crow // NOTE: Already documented in "crow/app.h"
 
         void add_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.emplace(std::move(key), std::move(value));
         }
 
diff --git a/include/crow/http_response.h b/include/crow/http_response.h
@@ -59,13 +59,17 @@ namespace crow
         /// Set the value of an existing header in the response.
         void set_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.erase(key);
             headers.emplace(std::move(key), std::move(value));
         }
 
         /// Add a new header to the response.
         void add_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.emplace(std::move(key), std::move(value));
         }
 

Original file line number	Diff line number	Diff line change
`@@ -59,13 +59,17 @@ namespace crow`
`59`	`59`	`/// Set the value of an existing header in the response.`
`60`	`60`	`void set_header(std::string key, std::string value)`
`61`	`61`	`{`
	`62`	`+ sanitize_header_value(key);`
	`63`	`+ sanitize_header_value(value);`
`62`	`64`	`headers.erase(key);`
`63`	`65`	`headers.emplace(std::move(key), std::move(value));`
`64`	`66`	`}`
`65`	`67`
`66`	`68`	`/// Add a new header to the response.`
`67`	`69`	`void add_header(std::string key, std::string value)`
`68`	`70`	`{`
	`71`	`+ sanitize_header_value(key);`
	`72`	`+ sanitize_header_value(value);`
`69`	`73`	`headers.emplace(std::move(key), std::move(value));`
`70`	`74`	`}`
`71`	`75`