Skip to content

fix: sanitize header values to prevent HTTP header injection (#506) #812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
benoitc merged 1 commit into from
Jan 19, 2026
Merged

fix: sanitize header values to prevent HTTP header injection (#506) #812

benoitc merged 1 commit into from
Jan 19, 2026

Conversation

@benoitc
Copy link
Owner

@benoitc benoitc commented Jan 19, 2026

Summary

  • Sanitize header values by stripping CR and LF characters during serialization
  • Prevents HTTP header injection attacks where newlines in header values could inject additional headers
  • Also sanitizes parameter values in headers with parameters (e.g., Content-Type)

Fixes #506

@benoitc
fix: sanitize header values to prevent HTTP header injection (#506)
3000a39 
Header values containing CR or LF characters could be used for HTTP
header injection attacks. This fix strips CR and LF characters from
header values during serialization in to_iolist/1.

The sanitization is also applied to parameter values in
Content-Type and similar headers with parameters.

Fixes #506
@benoitc benoitc merged commit 9d0eb82 into master Jan 19, 2026
5 checks passed
@benoitc benoitc deleted the fix/506-header-injection branch January 19, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Newline character is not escaped in headers

2 participants

@benoitc