[whatwg/fetch] "get, decode, and split a header value" algorithm appears to choke on malformed values (Issue #1778) from Adam Rice on 2024-09-27 (public-webapps-github@w3.org from September 2024)

From: Adam Rice <notifications@github.com>
Date: Thu, 26 Sep 2024 18:54:35 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1778@github.com>

### What is the issue with the Fetch Standard?

To reproduce:

1. Run the "get, decode, and split a header value" algorithm on malformed input like `"a""b"`

Expected behaviour:

Algorithm returns something, or possibly signals an error.

Actual behaviour:

Algorithm hits an assert.

As far as I can tell, there's nothing in the callers to this algorithm that guarantees the input is well-formed.

My interpretation of the spec steps inside the loop when applied to the input `"a""b"`:

1. 0 characters are appended to _temporaryValue_.
2. [collecting an HTTP quoted string](https://fetch.spec.whatwg.org/#collect-an-http-quoted-string) results in `a` being appended to _temporaryValue_. _postion_ now points to the third `"`.
3. Whitespace is trimmed from _temporaryValue_. It is still `a`.
4. `a` is appended to _values_.
5. _temporaryValue_ is cleared.
6. We do not return.
7. _code point_ at _position_ is `"`, not `,`, so the assert fails.

If an implementer ignores the assert failure I think they will get the output «`a`, `b` », which is a behaviour.

Based on code inspection I believe Chromium will reject this particular input, but something like `name="a""b"` will be treated as `name="a\"\"b"`, which is also a behaviour.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1778
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1778@github.com>

Received on Friday, 27 September 2024 01:54:39 UTC