github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate response header names and values before AddHeader (#50131)

Browse Source 
Matches the existing validation applied to request headers in
electron_api_url_loader.cc.

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Samuel Attard <sattard@anthropic.com>
This commit is contained in:
trop[bot]
2026-03-09 11:36:34 +01:00
committed by GitHub
parent 15b95fcd52
commit 06278ba3b3
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
shell/browser/net/electron_url_loader_factory.cc
View File

@@ -24,6 +24,7 @@
#include "net/base/filename_util.h"
#include "net/http/http_request_headers.h"
#include "net/http/http_status_code.h"
#include "net/http/http_util.h"
#include "net/url_request/redirect_util.h"
#include "services/network/public/cpp/resource_request.h"
#include "services/network/public/cpp/shared_url_loader_factory.h"
@@ -138,13 +139,17 @@ network::mojom::URLResponseHeadPtr ToResponseHead(
base::Value::Dict headers;
if (dict.Get("headers", &headers)) {
for (const auto iter : headers) {
if (!net::HttpUtil::IsValidHeaderName(iter.first))
continue;
if (iter.second.is_string()) {
// key, value
head->headers->AddHeader(iter.first, iter.second.GetString());
if (net::HttpUtil::IsValidHeaderValue(iter.second.GetString()))
head->headers->AddHeader(iter.first, iter.second.GetString());
} else if (iter.second.is_list()) {
// key: [values...]
for (const auto& item : iter.second.GetList()) {
if (item.is_string())
if (item.is_string() &&
net::HttpUtil::IsValidHeaderValue(item.GetString()))
head->headers->AddHeader(iter.first, item.GetString());
}
} else {

5
shell/common/gin_converters/net_converter.cc
View File

@@ -19,6 +19,7 @@
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
#include "net/http/http_response_headers.h"
#include "net/http/http_util.h"
#include "net/http/http_version.h"
#include "net/url_request/redirect_info.h"
#include "services/network/public/cpp/data_element.h"
@@ -197,6 +198,10 @@ bool Converter<net::HttpResponseHeaders*>::FromV8(
}
std::string value;
gin::ConvertFromV8(isolate, localStrVal, &value);
if (!net::HttpUtil::IsValidHeaderName(key) ||
!net::HttpUtil::IsValidHeaderValue(value)) {
return false;
}
out->AddHeader(key, value);
return true;
};