https://issues.dlang.org/show_bug.cgi?id=16174
Issue ID: 16174 Summary: [SECURITY] HTTP header injection Product: D Version: D2 Hardware: All OS: All Status: NEW Severity: normal Priority: P1 Component: phobos Assignee: nob...@puremagic.com Reporter: cpic...@openmailbox.org std.net.curl is vulnerable to HTTP header injection. import std.stdio; import std.net.curl; void main(string[] args) { auto http = HTTP("localhost:8000"); http.addRequestHeader("User-agent", "Mozilla/5.0\x0d\x0aLocation: header injection"); http.onReceiveHeader = (in char[] key, in char[] value) { writeln(key ~ ": " ~ value); }; http.onReceive = (ubyte[] data) { /+ drop +/ return data.length; }; http.perform(); } What was sent: GET / HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 Location: header injection Accept: */* This flaw was discussed in length here https://bugs.python.org/issue22928 as python's standard library was affected by the same vulnerability (although there is no link). The consensus that was found is that although allowing newlines in a user-agent is RFC compliant it openning the door to security vulnerabilities is not acceptable. Today python throws an exception when newlines are present in the header. --