Skip to content

Fix: reject '@' in HTTP header field names per RFC 9110 #12838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prabhleen0601-stack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix: reject '@' in HTTP header field names per RFC 9110 #12838

prabhleen0601-stack wants to merge 1 commit into from
+2 −2

Conversation

@prabhleen0601-stack
Copy link

@prabhleen0601-stack prabhleen0601-stack commented Jan 29, 2026

RFC 9110 defines HTTP header field names as tokens, which must not contain '@'.

Currently '@' is accepted because of MIME separator handling.

This patch ensures ParseRules::is_http_field_name rejects '@', aligning behavior with RFC 9110.

This prevents invalid header names from being accepted.

@prabhleen0601-stack
Fix: reject '@' in HTTP header field names per RFC 9110
ec83d9e 
RFC 9110 defines HTTP header field names as tokens, which must not contain '@'.

Currently '@' is accepted because of MIME separator handling.

This patch ensures ParseRules::is_http_field_name rejects '@', aligning behavior with RFC 9110.

This prevents invalid header names from being accepted.
@bryancall bryancall added this to the 10.2.0 milestone Feb 2, 2026
@bryancall bryancall requested review from bneradt and Copilot February 2, 2026 22:59
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes HTTP header field name validation to comply with RFC 9110 by rejecting the '@' character. The current implementation incorrectly accepts '@' due to MIME separator handling logic.

Changes:

  • Removed the exception that allowed '@' in HTTP header field names
  • Updated the validation logic to properly reject all MIME separators including '@'

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

include/tscore/ParseRules.h
{
#ifndef COMPILE_PARSE_RULES
return (parseRulesCType[static_cast<unsigned char>(c)] & is_token_BIT);
return (parseRulesCType[(unsigned char)c] & is_token_BIT);
Copy link

Copilot AI Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed from static_cast<unsigned char> to C-style cast (unsigned char). C++ best practice is to use static_cast for type safety and clarity. This change appears unrelated to the PR's stated purpose of fixing '@' validation.

Suggested change
return (parseRulesCType[(unsigned char)c] & is_token_BIT);
return (parseRulesCType[static_cast<unsigned char>(c)] & is_token_BIT);

Copilot uses AI. Check for mistakes.
bryancall
bryancall reviewed Feb 2, 2026
View reviewed changes
include/tscore/ParseRules.h
{
#ifndef COMPILE_PARSE_RULES
return (parseRulesCType[static_cast<unsigned char>(c)] & is_token_BIT);
return (parseRulesCType[(unsigned char)c] & is_token_BIT);
Copy link
Contributor

@bryancall bryancall Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no C casts, please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bryancall bryancall bryancall left review comments

Copilot code review Copilot Copilot left review comments

@bneradt bneradt Awaiting requested review from bneradt

At least 1 approving review is required to merge this pull request.

Assignees

@prabhleen0601-stack prabhleen0601-stack

Labels

Bug HTTP

Projects

None yet

Milestone

10.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@prabhleen0601-stack @bryancall