We pass headers to WinHTTP.dll without any validation of their values:
|
requestHeadersBuffer.AppendLine(requestMessage.Headers.ToString()); |
We should validate the values to be well-formed the same way as
SocketsHttpHandler does:
|
OperationStatus status = Ascii.FromUtf16(s, buffer, out int bytesWritten); |
I.e. For ASCII chars.
See RFC for header values: https://www.rfc-editor.org/rfc/rfc9110.html#name-field-values
Note: it allows up to the full byte to allow encoding like Latin-1 for historical purposes.
We pass headers to WinHTTP.dll without any validation of their values:
runtime/src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs
Line 742 in cc37009
We should validate the values to be well-formed the same way as
SocketsHttpHandlerdoes:runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnection.cs
Line 509 in a37502b
I.e. For ASCII chars.
See RFC for header values: https://www.rfc-editor.org/rfc/rfc9110.html#name-field-values