Skip to content

Changed header value validation to accept any ascii except CR & LF #1316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 15, 2025
Merged

Changed header value validation to accept any ascii except CR & LF #1316

merged 2 commits into from
May 15, 2025

Conversation

francoisprunier
Copy link
Contributor

This is a PR for #1315

Header validation does not accept Form Feed chars (ascii 12) but they're used by the server in some headers, thus breaking the client. This happens on messages fetched from a stream that is sourcing another stream.

The validation now accepts any ascii char except for LR and LF as described in ADR 4.

scottf
scottf requested changes May 14, 2025
View reviewed changes
src/main/java/io/nats/client/impl/Headers.java Outdated
val.chars().forEach(c -> {
if ((c < 32 && c != 9) || c > 126) {
if (c < 0 || c > 255 || c == 10 || c == 13) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

char is unsigned, cannot be less than 0. Also, JAVA Charset US-ASCII only takes from 0-127 inclusive. So I think this is right.

if (c > 127 || c == 10 || c == 13) {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the original test went up to 255. Also, I'm in the process of checking with the other client developers to see what they accept (0-127 or 0-255) so we can be consistent.

@scottf
Copy link
Contributor

scottf commented May 14, 2025

@francoisprunier A couple things. First, thank you for the bug report and the contribution, this is must appreciated. As soon as I get feedback from the team, I'll let you know if it's 127 or 255, but for Java's sake I hope it's 127
Second, since this is your first contribution I'll allow it, but per CNCF guidelines, we are supposed to have signed commits. Again, first contribution it's perfectly fine.

@francoisprunier
Copy link
Contributor Author

Thanks, in the mean time I've updated the MR and used a signed commit. It restricts values to 0-127, I've looked into it and got to https://www.rfc-editor.org/rfc/rfc7230 which states that header values should be us-ascii. The original's RFC used ASCII to mean us-ascii as today's ASCII was called Extended ASCII back then.

I'll update the commit if the consensus with other client devs is to use 0-256 anyway.

@scottf
Copy link
Contributor

scottf commented May 15, 2025

Thanks, in the mean time I've updated the MR and used a signed commit. It restricts values to 0-127, I've looked into it and got to https://www.rfc-editor.org/rfc/rfc7230 which states that header values should be us-ascii. The original's RFC used ASCII to mean us-ascii as today's ASCII was called Extended ASCII back then.

I'll update the commit if the consensus with other client devs is to use 0-256 anyway.

Since the go client use a mime processor, I'm going to assume that it follows this RFC standard. I've not gotten much feedback from the team yet, so let's go with the 127 and we can always expand it later.

@scottf scottf merged commit a410cad into nats-io:main May 15, 2025
1 check passed
@scottf scottf mentioned this pull request May 15, 2025
Closed
@francoisprunier
Copy link
Contributor Author

Hi @scottf,

When do you plan on creating a release with this fix ? It's a blocking issue for us at the moment. Thanks!

@scottf
Copy link
Contributor

scottf commented May 23, 2025
edited
Loading

I'm waiting to merge another PR. You can use the 2.21.2-SNAPSHOT for now. Instructions are in the readme, but for gradle/maven you need the snapshot repo

Gradle

repositories {
    maven {
        url "https://central.sonatype.com/repository/maven-snapshots"
    }
}

Maven

<repositories>
    <repository>
        <id>sonatype snapshots</id>
        <url>https://central.sonatype.com/repository/maven-snapshots</url>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
</repositories>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scottf scottf scottf requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@francoisprunier @scottf
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy