fix(webserver): Validate header inputs

2025-06-26 12:43:50 +03:00 · 2025-06-26 12:43:50 +03:00 · 21640ac82a
commit 21640ac82a
parent 9e61fa7e4b
1 changed files with 10 additions and 0 deletions
--- a/libraries/WebServer/src/WebServer.cpp
+++ b/libraries/WebServer/src/WebServer.cpp
@ -502,6 +502,16 @@ void WebServer::stop() {
 }

 void WebServer::sendHeader(const String &name, const String &value, bool first) {
+  if (name.indexOf('\r') != -1 || name.indexOf('\n') != -1) {
+    log_e("Invalid character in HTTP header name");
+    return;
+  }
+
+  if (value.indexOf('\r') != -1 || value.indexOf('\n') != -1) {
+    log_e("Invalid character in HTTP header value");
+    return;
+  }
+
  RequestArgument *header = new RequestArgument();
  header->key = name;
  header->value = value;