diff options
| author | rob <rob@robwu.nl> | 2014-08-25 14:13:07 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-08-25 21:14:42 +0000 |
| commit | 7aad4986b5ab03e70d7390e99f3f2e9da6b521ae (patch) | |
| tree | 5f212a05c13dcdbfe7dadc2c082e30124a97543a /net/http/http_util.h | |
| parent | d0e3a463b927708845f33a8d7102fc74723b6e37 (diff) | |
| download | chromium_src-7aad4986b5ab03e70d7390e99f3f2e9da6b521ae.zip chromium_src-7aad4986b5ab03e70d7390e99f3f2e9da6b521ae.tar.gz chromium_src-7aad4986b5ab03e70d7390e99f3f2e9da6b521ae.tar.bz2 | |
Make sure that HttpRequestHeaders contains valid key-value pairs.
Tracked down all uses of SetHeader() and SetHeaderIfMissing() and added
input validation where necessary (using the new IsValidHeader{Name,Value}
methods in http_util, moved from web_request_api_helpers).
After that, I added a DCHECK which serves as documentation to the users
of http_request_headers: The input must not contain illegal characters.
BUG=390458
Review URL: https://codereview.chromium.org/491123004
Cr-Commit-Position: refs/heads/master@{#291761}
Diffstat (limited to 'net/http/http_util.h')
| -rw-r--r-- | net/http/http_util.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/http/http_util.h b/net/http/http_util.h index 14117c0..bde65dc 100644 --- a/net/http/http_util.h +++ b/net/http/http_util.h @@ -75,6 +75,13 @@ class NET_EXPORT HttpUtil { // named |name|. static bool IsSafeHeader(const std::string& name); + // Returns true if |name| is a valid HTTP header name. + static bool IsValidHeaderName(const std::string& name); + + // Returns false if |value| contains NUL or CRLF. This method does not perform + // a fully RFC-2616-compliant header value validation. + static bool IsValidHeaderValue(const std::string& value); + // Strips all header lines from |headers| whose name matches // |headers_to_remove|. |headers_to_remove| is a list of null-terminated // lower-case header names, with array length |headers_to_remove_len|. |