[DOC] Add CWE-113 warning to DefaultHttpHeaders constructor (#9646)

### Motivation: I've now found two libraries that use Netty to be vulnerable to [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) due to using `new DefaultHttpHeaders(false)`. Some part of me hopes that this warning will help dissuade library authors from disabling this important security check. ### Modification: Add documentation to `DefaultHttpHeaders(boolean)` to warn about the implications of `false`. ### Result: This improves the documentation on `DefaultHttpHeaders`.
2019-10-10 14:47:28 -04:00 · 2019-10-10 14:47:28 -04:00 · cde6a6d7d1
commit cde6a6d7d1
parent c0f9923823
1 changed files with 12 additions and 0 deletions
--- a/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java
@ -72,6 +72,18 @@ public class DefaultHttpHeaders extends HttpHeaders {
        this(true);
    }

+    /**
+     * <b>Warning!</b> Setting <code>validate</code> to <code>false</code> will mean that Netty won't
+     * validate & protect against user-supplied header values that are malicious.
+     * This can leave your server implementation vulnerable to
+     * <a href="https://cwe.mitre.org/data/definitions/113.html">
+     *     CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
+     * </a>.
+     * When disabling this validation, it is the responsibility of the caller to ensure that the values supplied
+     * do not contain a non-url-escaped carriage return (CR) and/or line feed (LF) characters.
+     *
+     * @param validate Should Netty validate Header values to ensure they aren't malicious.
+     */
    public DefaultHttpHeaders(boolean validate) {
        this(validate, nameValidator(validate));
    }