Skip to content

strip crlf from resolved header template values#3444

Open
alhudz wants to merge 1 commit into
OpenFeign:masterfrom
alhudz:header-template-crlf
Open

strip crlf from resolved header template values#3444
alhudz wants to merge 1 commit into
OpenFeign:masterfrom
alhudz:header-template-crlf

Conversation

@alhudz

@alhudz alhudz commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Repro: resolve a templated header (@Headers("X-Custom: {value}"), or a @HeaderMap entry) with value set to legit\r\nX-Injected: evil.
Expected: one X-Custom header.
Actual: the CR/LF survives into the header value, breaking the line and injecting an X-Injected request header.
Cause: HeaderTemplate expands header values with EncodingOptions.NOT_REQUIRED, so expand (templated values, via RequestTemplate.resolve) and getValues (@HeaderMap values added after resolve and read back when the Request is built) emit them verbatim. Query and URI templates pct-encode their values, so headers are the only un-encoded expansion path.
Fix: strip \r and \n from each value in both producers, matching the multipart Content-Type strip in #3432.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant