[DOC] Add CWE-113 warning to DefaultHttpHeaders constructor (#9646)
### Motivation: I've now found two libraries that use Netty to be vulnerable to [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) due to using `new DefaultHttpHeaders(false)`. Some part of me hopes that this warning will help dissuade library authors from disabling this important security check. ### Modification: Add documentation to `DefaultHttpHeaders(boolean)` to warn about the implications of `false`. ### Result: This improves the documentation on `DefaultHttpHeaders`.
This commit is contained in:
parent
c0f9923823
commit
cde6a6d7d1
@ -72,6 +72,18 @@ public class DefaultHttpHeaders extends HttpHeaders {
|
||||
this(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* <b>Warning!</b> Setting <code>validate</code> to <code>false</code> will mean that Netty won't
|
||||
* validate & protect against user-supplied header values that are malicious.
|
||||
* This can leave your server implementation vulnerable to
|
||||
* <a href="https://cwe.mitre.org/data/definitions/113.html">
|
||||
* CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
|
||||
* </a>.
|
||||
* When disabling this validation, it is the responsibility of the caller to ensure that the values supplied
|
||||
* do not contain a non-url-escaped carriage return (CR) and/or line feed (LF) characters.
|
||||
*
|
||||
* @param validate Should Netty validate Header values to ensure they aren't malicious.
|
||||
*/
|
||||
public DefaultHttpHeaders(boolean validate) {
|
||||
this(validate, nameValidator(validate));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user