From 21640ac82a1bb5efa8cf0b3841be1ac80add6785 Mon Sep 17 00:00:00 2001
From: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com>
Date: Thu, 26 Jun 2025 12:43:50 +0300
Subject: [PATCH] fix(webserver): Validate header inputs

---
 libraries/WebServer/src/WebServer.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libraries/WebServer/src/WebServer.cpp b/libraries/WebServer/src/WebServer.cpp
index 652a86f58..7523e4025 100644
--- a/libraries/WebServer/src/WebServer.cpp
+++ b/libraries/WebServer/src/WebServer.cpp
@@ -502,6 +502,16 @@ void WebServer::stop() {
 }
 
 void WebServer::sendHeader(const String &name, const String &value, bool first) {
+  if (name.indexOf('\r') != -1 || name.indexOf('\n') != -1) {
+    log_e("Invalid character in HTTP header name");
+    return;
+  }
+
+  if (value.indexOf('\r') != -1 || value.indexOf('\n') != -1) {
+    log_e("Invalid character in HTTP header value");
+    return;
+  }
+
   RequestArgument *header = new RequestArgument();
   header->key = name;
   header->value = value;