Match net/http behavior when requests or responses contain both
Content-Length and Transfer-Encoding.
Parse and validate Content-Length even when Transfer-Encoding is present, so
invalid lengths are rejected. For valid Content-Length with chunked
Transfer-Encoding, keep chunked framing as authoritative. Also apply the same
precedence when RequestHeader.DisableSpecialHeader is used.
Reject HTTP/1.1 response Transfer-Encoding values unless they are a single
chunked header, matching net/http's strict transfer parser behavior.
This prevents arbitrary or compound response Transfer-Encoding values from
being silently normalized to chunked and avoids desync/body parsing ambiguity
when parsing upstream responses.
Prevent cookie APIs from serializing embedded CR or LF bytes into
Cookie and Set-Cookie header lines.
Route Cookie key, value, domain, and path setters, parsed cookie
fields, and RequestHeader/ResponseHeader SetCookie paths through the
existing newline sanitization. Sanitize paths after normalization so
percent-decoded CR/LF bytes cannot bypass the guard.
Thanks to @vnykmshr for reporting this issue.
Reject request header field names with whitespace immediately before the
colon instead of trimming them before special-header handling.
This prevents parser differentials for malformed framing and routing
headers such as Content-Length, Transfer-Encoding, and Host when a frontend
forwards raw invalid request headers.
Keep the existing response and trailer compatibility behavior unchanged, and
add regression coverage for both header-only parsing and full request body
reads.
Validate trailer names added through AddTrailerBytes before storing them
for Trailer header serialization.
Trim OWS around comma-separated trailer names, reject names containing
bytes outside the HTTP field-name token set, and keep the existing
forbidden-trailer filtering in place. This prevents CRLF injection through
dynamic trailer names while preserving valid trailer declarations.
Add request and response regression coverage for invalid trailer names and
tab-trimmed OWS.
Prevent request and response first-line setters from serializing
embedded CR or LF bytes into the start line.
Route SetMethod, SetRequestURI, SetProtocol, and SetStatusMessage
through the existing newline sanitization used by other header-value
setters. This preserves behavior for valid inputs while preventing
header injection through malformed first-line values.
Thanks to @vnykmshr for reporting this issue.
Prevents `header.Set("Key", "value\r\nEvil-Header: injected")` from
producing extra header lines in the HTTP response/request.
Thanks to @instantraaamen for reporting this issue.
This change updates header parsing to match the behavior of net/http more closely.
**Breaking change**: headers delimited by `\n` (instead of `\r\n`) are no longer supported.
Previously, fasthttp accepted `\n` as a delimiter, which is not spec compliant.
This made it difficult to correctly parse headers containing both `\n` and `\r\n`.
RequestHeader.PeekKeys() and ResponseHeader.PeekKeys() were both
implemented wrong. The tests were also wrong causing this to never be
noticed. They both never actually returned all header keys, this has
been fixed now.
While this is a backwards incompatible change, I'm still going to
release it. Anyone using these functions would have noticed they
didn't work as documented and probably would not have continued using
them.
Fixes https://github.com/valyala/fasthttp/issues/2044
* refact: Eliminate duplication in Request/Response headers via struct embedding
* revert: SetMultipartFormBoundaryBytes
* refact: rename the params of SetProtocol and SetProtocolBytes
* fix: accept invalid headers with a space #1917
Make behavior consistent with net/http by allowing header keys and trailers containing spaces without canonicalizing them
* fix: lint paramTypeCombine
* fix: https://github.com/valyala/fasthttp/pull/1953#issuecomment-2660691298
* fix: golangci-lint nestingReduce
* Reduce sizeof ResponseHeader and RequestHeader
+ Reduce ResponseHeader from 320 to 312 bytes
+ Reduce RequestHeader from 360 to 352 bytes
+ In the benchmark tests, although there is no significant performance improvement, it theoretically reduces memory usage by 2.2% to 2.5%.
* Remove redundant comment
* Fix RequestHeader parser (#1808)
When FastHTTP receives a header value suffixed or prefixed with tabs, they should be stripped.
* Remove redundant code
* Add test for header parser including tabs (#1808)
* Don't allow \r in header names
From RFC 9112:
A sender MUST NOT generate a bare CR (a CR character not immediately
followed by LF) within any protocol elements other than the content.
A recipient of such a bare CR MUST consider that element to be invalid
or replace each bare CR with SP before processing the element or forwarding
the message.
net/http seems to completely error on this, so let's do the same.
Fixes https://github.com/valyala/fasthttp/issues/1785
* Validate the full header field
* Prevent request smuggling
Prevent request smuggling when fasthttp is behind a reverse proxy that
might interprets headers differently by being stricter. Should also
prevent request smuggling when fasthttp is used as the reverse proxy.
* Make header value comparison case-insensitive
* Auto add 'Vary' header after compression
Add config `SetAddVaryHeaderForCompression` to enable
'Vary: Accept-Encoding' header when compression is used.
* feat: always set the Vary header
* create and use `ResponseHeader.AddVaryBytes`
* not export 'AddVaryBytes'
Erik Dubbelboer
Copilot
Kashiwa
Juan Calderon-Perez
Oleksandr Redko
Oleksandr Redko
nickajacks1
AutumnSun
Anthony Ter-Saakov
kinggo
byene0923