Reject carriage return in header values to prevent header injection

sferik · sferik · commit b52733a740b0 · 2026-03-09T02:06:53.000-07:00
The header value validation only checked for \n but not \r alone, which could allow smuggling control characters into HTTP headers. Closes #355.
diff --git a/lib/http/headers.rb b/lib/http/headers.rb
@@ -335,7 +335,7 @@ def normalize_header(name)
     # @api private
     def validate_value(value)
       v = value.to_s
-      return v unless v.include?("\n")
+      return v unless v.include?("\n") || v.include?("\r")
 
       raise HeaderError, "Invalid HTTP header field value: #{v.inspect}"
     end
diff --git a/test/http/headers_test.rb b/test/http/headers_test.rb
@@ -651,6 +651,14 @@ def obj.inspect = "INSPECTED"
 
       assert_includes err.message, '"bad\nvalue"'
     end
+
+    it "raises HeaderError when value contains a carriage return" do
+      assert_raises(HTTP::HeaderError) { headers.add "X-Test", "foo\rbar" }
+    end
+
+    it "raises HeaderError when value contains CRLF" do
+      assert_raises(HTTP::HeaderError) { headers.add "X-Test", "foo\r\nbar" }
+    end
   end
 
   describe "#merge!" do
