Skip to content

strip crlf from resolved header template values#3444

Open
alhudz wants to merge 1 commit into
OpenFeign:masterfrom
alhudz:header-template-crlf
Open

strip crlf from resolved header template values#3444
alhudz wants to merge 1 commit into
OpenFeign:masterfrom
alhudz:header-template-crlf

Conversation

@alhudz

@alhudz alhudz commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Repro: resolve a templated header (@Headers("X-Custom: {value}"), or a @HeaderMap entry) with value set to legit\r\nX-Injected: evil.
Expected: one X-Custom header.
Actual: the CR/LF survives into the header value, breaking the line and injecting an X-Injected request header.
Cause: HeaderTemplate expands header values with EncodingOptions.NOT_REQUIRED, so expand (templated values, via RequestTemplate.resolve) and getValues (@HeaderMap values added after resolve and read back when the Request is built) emit them verbatim. Query and URI templates pct-encode their values, so headers are the only un-encoded expansion path.
Fix: strip \r and \n from each value in both producers, matching the multipart Content-Type strip in #3432.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant