Reject null bytes in headers (#12210)

Co-authored-by: vmfunc <celeste@linux.com>

Author: Dreamsorcerer

aiohttp/_http_parser.pyx

@@ -384,6 +384,13 @@ cdef class HttpParser:
             name = find_header(self._raw_name)
             value = self._raw_value.decode('utf-8', 'surrogateescape')
 
+            # reject null bytes in header values - matches the Python parser
+            # check at http_parser.py. llhttp in lenient mode doesn't reject
+            # these itself, so we need to catch them here.
+            # ref: RFC 9110 section 5.5 (CTL chars forbidden in field values)
+            if "\x00" in value:
+                raise InvalidHeader(self._raw_value)
+
             self._headers.append((name, value))
             if len(self._headers) > self._max_headers:
                 raise BadHttpMessage("Too many headers received")

aiohttp/_http_writer.pyx

@@ -111,9 +111,9 @@ cdef inline int _write_str_raise_on_nlcr(Writer* writer, object s):
         out_str = str(s)
 
     for ch in out_str:
-        if ch == 0x0D or ch == 0x0A:
+        if ch in {0x0D, 0x0A, 0x00}:
             raise ValueError(
-                "Newline or carriage return detected in headers. "
+                "Newline, carriage return, or null byte detected in headers. "
                 "Potential header injection attack."
             )
         if _write_utf8(writer, ch) < 0:

aiohttp/http_writer.py

@@ -364,9 +364,9 @@ async def drain(self) -> None:
 
 
 def _safe_header(string: str) -> str:
-    if "\r" in string or "\n" in string:
+    if "\r" in string or "\n" in string or "\x00" in string:
         raise ValueError(
-            "Newline or carriage return detected in headers. "
+            "Newline, carriage return, or null byte detected in headers. "
             "Potential header injection attack."
         )
     return string

tests/test_http_parser.py

@@ -1233,6 +1233,13 @@ def test_http_response_parser_strict_headers(response: HttpResponseParser) -> No
         response.feed_data(b"HTTP/1.1 200 test\r\nFoo: abc\x01def\r\n\r\n")
 
 
+def test_http_response_parser_null_byte_in_header_value(
+    response: HttpResponseParser,
+) -> None:
+    with pytest.raises(http_exceptions.InvalidHeader):
+        response.feed_data(b"HTTP/1.1 200 OK\r\nFoo: abc\x00def\r\n\r\n")
+
+
 def test_http_response_parser_bad_crlf(response: HttpResponseParser) -> None:
     """Still a lot of dodgy servers sending bad requests like this."""
     messages, upgrade, tail = response.feed_data(

tests/test_http_writer.py

@@ -1061,10 +1061,22 @@ def test_serialize_headers_raises_on_new_line_or_carriage_return(char: str) -> N
 
     with pytest.raises(
         ValueError,
-        match=(
-            "Newline or carriage return detected in headers. "
-            "Potential header injection attack."
-        ),
+        match="detected in headers",
+    ):
+        _serialize_headers(status_line, headers)
+
+
+def test_serialize_headers_raises_on_null_byte() -> None:
+    status_line = "HTTP/1.1 200 OK"
+    headers = CIMultiDict(
+        {
+            hdrs.CONTENT_TYPE: "text/plain\x00",
+        }
+    )
+
+    with pytest.raises(
+        ValueError,
+        match="null byte detected in headers",
     ):
         _serialize_headers(status_line, headers)