Skip to content

Commit

Permalink
fix: HeaderName::from_lowercase allowing NUL bytes in some cases
Browse files Browse the repository at this point in the history
If a byte slice larger than 64 bytes is passed to
`HeaderName::from_lowercase`, it could allow NUL bytes. This fixes the
bug.

Reported-by: [email protected]
  • Loading branch information
seanmonstar committed Mar 4, 2024
1 parent 9bb3259 commit e1a3197
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions src/header/name.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1174,9 +1174,9 @@ impl HeaderName {
}
Repr::Custom(MaybeLower { buf, lower: false }) => {
for &b in buf.iter() {
// HEADER_CHARS maps all bytes that are not valid single-byte
// HEADER_CHARS_H2 maps all bytes that are not valid single-byte
// UTF-8 to 0 so this check returns an error for invalid UTF-8.
if b != HEADER_CHARS[b as usize] {
if HEADER_CHARS_H2[b as usize] == 0 {
return Err(InvalidHeaderName::new());
}
}
Expand Down Expand Up @@ -1865,4 +1865,16 @@ mod tests {
fn test_all_tokens() {
HeaderName::from_static("!#$%&'*+-.^_`|~0123456789abcdefghijklmnopqrstuvwxyz");
}

#[test]
fn test_from_lowercase() {
HeaderName::from_lowercase(&[0; 10]).unwrap_err();
HeaderName::from_lowercase(&[b'A'; 10]).unwrap_err();
HeaderName::from_lowercase(&[0x1; 10]).unwrap_err();
HeaderName::from_lowercase(&[0xFF; 10]).unwrap_err();
//HeaderName::from_lowercase(&[0; 100]).unwrap_err();
HeaderName::from_lowercase(&[b'A'; 100]).unwrap_err();
HeaderName::from_lowercase(&[0x1; 100]).unwrap_err();
HeaderName::from_lowercase(&[0xFF; 100]).unwrap_err();
}
}

0 comments on commit e1a3197

Please sign in to comment.