Prevents `header.Set("Key", "value\r\nEvil-Header: injected")` from
producing extra header lines in the HTTP response/request.
Thanks to @instantraaamen for reporting this issue.
This change updates header parsing to match the behavior of net/http more closely.
**Breaking change**: headers delimited by `\n` (instead of `\r\n`) are no longer supported.
Previously, fasthttp accepted `\n` as a delimiter, which is not spec compliant.
This made it difficult to correctly parse headers containing both `\n` and `\r\n`.
RequestHeader.PeekKeys() and ResponseHeader.PeekKeys() were both
implemented wrong. The tests were also wrong causing this to never be
noticed. They both never actually returned all header keys, this has
been fixed now.
While this is a backwards incompatible change, I'm still going to
release it. Anyone using these functions would have noticed they
didn't work as documented and probably would not have continued using
them.
Fixes https://github.com/valyala/fasthttp/issues/2044
* refact: Eliminate duplication in Request/Response headers via struct embedding
* revert: SetMultipartFormBoundaryBytes
* refact: rename the params of SetProtocol and SetProtocolBytes
The fuzzer found some cases where it would panic.
The output of normalizeHeaderValue doesn't need to affect s.b and s.hLen
because the length of the normalized header will never be bigger, so it
can just be normalize in place without affecting the rest of the buffer.
* fix: accept invalid headers with a space #1917
Make behavior consistent with net/http by allowing header keys and trailers containing spaces without canonicalizing them
* fix: lint paramTypeCombine
* fix: https://github.com/valyala/fasthttp/pull/1953#issuecomment-2660691298
* fix: golangci-lint nestingReduce
- Renamed the original `delAllArgs` method to `delAllArgsStable` to maintain stable behavior.
- Added a new `delAllArgs` method for non-stable functionality, improving runtime efficiency.
* Reduce sizeof ResponseHeader and RequestHeader
+ Reduce ResponseHeader from 320 to 312 bytes
+ Reduce RequestHeader from 360 to 352 bytes
+ In the benchmark tests, although there is no significant performance improvement, it theoretically reduces memory usage by 2.2% to 2.5%.
* Remove redundant comment
* Fix RequestHeader parser (#1808)
When FastHTTP receives a header value suffixed or prefixed with tabs, they should be stripped.
* Remove redundant code
* Add test for header parser including tabs (#1808)
1. Reduce RequestHeader from 368 bytes to 360 bytes
2. Reduce Request from 816 bytes to 800 bytes
3. Reduce Response from 432 bytes to 416 bytes
4. Reduce Client from 312 bytes to 288 bytes
5. Reduce HostClient from 416 bytes to 392 bytes
6. Reduce PipelineClient from 176 bytes to 168 bytes
7. Reduce pipelineConnClient from 216 bytes to 208 bytes
8. Reduce Cookie from 232 bytes to 224 bytes
9. Reduce FS from 184 bytes to 160 bytes
10. Reduce fsHandler from 168 bytes to 160 bytes
11. Reduce ResponseHeader from 328 bytes to 320 bytes
12. Reduce headerScanner from 128 bytes to 120 bytes
13. Reduce TCPDialer from 104 bytes to 96 bytes
14. Reduce workerPool from 152 btyes to 144 btyes
* Don't allow \r in header names
From RFC 9112:
A sender MUST NOT generate a bare CR (a CR character not immediately
followed by LF) within any protocol elements other than the content.
A recipient of such a bare CR MUST consider that element to be invalid
or replace each bare CR with SP before processing the element or forwarding
the message.
net/http seems to completely error on this, so let's do the same.
Fixes https://github.com/valyala/fasthttp/issues/1785
* Validate the full header field
* Prevent request smuggling
Prevent request smuggling when fasthttp is behind a reverse proxy that
might interprets headers differently by being stricter. Should also
prevent request smuggling when fasthttp is used as the reverse proxy.
* Make header value comparison case-insensitive
* Auto add 'Vary' header after compression
Add config `SetAddVaryHeaderForCompression` to enable
'Vary: Accept-Encoding' header when compression is used.
* feat: always set the Vary header
* create and use `ResponseHeader.AddVaryBytes`
* not export 'AddVaryBytes'
Erik Dubbelboer
pj
RW
Copilot
Kashiwa
Sigmund Xia 夏天睿
Juan Calderon-Perez
Oleksandr Redko
nickajacks1
Oleksandr Redko
xiluoxi
AutumnSun
Anthony Ter-Saakov
kinggo
cui fliter
byene0923