Merge commit from fork

The HTTP/1 request encoder spliced the caller-supplied method into the
request line verbatim. An application forwarding attacker-controlled
input as the HTTP method was exposed to CRLF injection: a method
containing "\r\n" could terminate the request line early, inject
arbitrary headers, and pipeline a second attacker-chosen request onto
the same connection.

The request target has been validated since 1.7.0, but the method had
no equivalent check. Validate it as an RFC 9110 token (1*tchar), the
same production used for header names, rejecting CRLF, spaces, and other
control characters.

Fixes GHSA-2pg6-44cx-c49v.

Author: ericmj

lib/mint/http1.ex

@@ -48,6 +48,8 @@ defmodule Mint.HTTP1 do
 
     * `{:invalid_request_target, target}` - when the request target is invalid.
 
+    * `{:invalid_request_method, method}` - when the request method is invalid.
+
     * `:invalid_header` - when headers can't be parsed correctly.
 
     * `{:invalid_header_name, name}` - when a header name is invalid.
@@ -1176,6 +1178,10 @@ defmodule Mint.HTTP1 do
     "invalid request target: #{inspect(target)}"
   end
 
+  def format_error({:invalid_request_method, method}) do
+    "invalid request method: #{inspect(method)}"
+  end
+
   def format_error({:invalid_header_name, name}) do
     "invalid header name: #{inspect(name)}"
   end

lib/mint/http1/request.ex

@@ -4,6 +4,8 @@ defmodule Mint.HTTP1.Request do
   import Mint.HTTP1.Parse
 
   def encode(method, target, headers, body) do
+    validate_method!(method)
+
     body = [
       encode_request_line(method, target),
       encode_headers(headers),
@@ -45,6 +47,17 @@ defmodule Mint.HTTP1.Request do
     [Integer.to_string(length, 16), "\r\n", chunk, "\r\n"]
   end
 
+  defp validate_method!(method) do
+    _ =
+      for <<char <- method>> do
+        unless is_tchar(char) do
+          throw({:mint, {:invalid_request_method, method}})
+        end
+      end
+
+    :ok
+  end
+
   defp validate_header_name!(name) do
     _ =
       for <<char <- name>> do

test/mint/http1/request_test.exs

@@ -42,6 +42,31 @@ defmodule Mint.HTTP1.RequestTest do
       assert Request.encode("GET", "/", [{"foo", "bar\r\n"}], nil) ==
                {:error, {:invalid_header_value, "foo", "bar\r\n"}}
     end
+
+    test "method with CRLF is rejected" do
+      method = "GET / HTTP/1.1\r\nX-Smuggled: 1\r\nGET /admin"
+
+      assert Request.encode(method, "/", [], nil) ==
+               {:error, {:invalid_request_method, method}}
+    end
+
+    test "method with a space is rejected" do
+      assert Request.encode("GET /admin", "/", [], nil) ==
+               {:error, {:invalid_request_method, "GET /admin"}}
+    end
+
+    test "method with a control character is rejected" do
+      assert Request.encode("GET\t", "/", [], nil) ==
+               {:error, {:invalid_request_method, "GET\t"}}
+    end
+
+    test "custom token method is accepted" do
+      assert encode_request("PROPFIND", "/", [], nil) ==
+               request_string("""
+               PROPFIND / HTTP/1.1
+
+               """)
+    end
   end
 
   describe "encode_chunk/1" do