Bug 16174 – [SECURITY] HTTP header injection

std.net.curl is vulnerable to HTTP header injection. import std.stdio; import std.net.curl; void main(string[] args) { auto http = HTTP("localhost:8000"); http.addRequestHeader("User-agent", "Mozilla/5.0\x0d\x0aLocation: header injection"); http.onReceiveHeader = (in char[] key, in char[] value) { writeln(key ~ ": " ~ value); }; http.onReceive = (ubyte[] data) { /+ drop +/ return data.length; }; http.perform(); } What was sent: GET / HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 Location: header injection Accept: */* This flaw was discussed in length here https://bugs.python.org/issue22928 as python's standard library was affected by the same vulnerability (although there is no link). The consensus that was found is that although allowing newlines in a user-agent is RFC compliant it openning the door to security vulnerabilities is not acceptable. Today python throws an exception when newlines are present in the header.

While I can see the concern, the truth is that you already are able to call a function which is adding a header to the request. In that sense, this isn't exactly a "security" issue, as you have permission to add the header already. Where this can be a problem is if you are passing a string from an un-trusted source, but that's probably not a good idea anyway, even if just adding one header. I'm not sure std.net.curl is the right place to make these types of decisions, it's a pretty bare wrapper around curl. Closing as WONTFIX, please re-open if you think this is in error.