Skip to content

Changed header value validation to accept any ascii except CR & LF#1316

Merged
scottf merged 2 commits intonats-io:mainfrom
francoisprunier:header-validation-fix
May 15, 2025
Merged

Changed header value validation to accept any ascii except CR & LF#1316
scottf merged 2 commits intonats-io:mainfrom
francoisprunier:header-validation-fix

Conversation

@francoisprunier
Copy link
Contributor

@francoisprunier francoisprunier commented May 14, 2025

This is a PR for #1315

Header validation does not accept Form Feed chars (ascii 12) but they're used by the server in some headers, thus breaking the client. This happens on messages fetched from a stream that is sourcing another stream.

The validation now accepts any ascii char except for LR and LF as described in ADR 4.

scottf
scottf requested changes May 14, 2025
View reviewed changes
src/main/java/io/nats/client/impl/Headers.java Outdated
// The field-body may be composed of any ASCII characters, except CR or LF.
val.chars().forEach(c -> {
if ((c < 32 && c != 9) || c > 126) {
if (c < 0 || c > 255 || c == 10 || c == 13) {
Copy link
Contributor

@scottf scottf May 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

char is unsigned, cannot be less than 0. Also, JAVA Charset US-ASCII only takes from 0-127 inclusive. So I think this is right.

if (c > 127 || c == 10 || c == 13) {

Copy link
Contributor

@scottf scottf May 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the original test went up to 255. Also, I'm in the process of checking with the other client developers to see what they accept (0-127 or 0-255) so we can be consistent.

@scottf
Copy link
Contributor

scottf commented May 14, 2025

@francoisprunier A couple things. First, thank you for the bug report and the contribution, this is must appreciated. As soon as I get feedback from the team, I'll let you know if it's 127 or 255, but for Java's sake I hope it's 127
Second, since this is your first contribution I'll allow it, but per CNCF guidelines, we are supposed to have signed commits. Again, first contribution it's perfectly fine.

@francoisprunier
Copy link
Contributor Author

francoisprunier commented May 15, 2025

Thanks, in the mean time I've updated the MR and used a signed commit. It restricts values to 0-127, I've looked into it and got to https://www.rfc-editor.org/rfc/rfc7230 which states that header values should be us-ascii. The original's RFC used ASCII to mean us-ascii as today's ASCII was called Extended ASCII back then.

I'll update the commit if the consensus with other client devs is to use 0-256 anyway.

@scottf
Copy link
Contributor

scottf commented May 15, 2025

Thanks, in the mean time I've updated the MR and used a signed commit. It restricts values to 0-127, I've looked into it and got to https://www.rfc-editor.org/rfc/rfc7230 which states that header values should be us-ascii. The original's RFC used ASCII to mean us-ascii as today's ASCII was called Extended ASCII back then.

I'll update the commit if the consensus with other client devs is to use 0-256 anyway.

Since the go client use a mime processor, I'm going to assume that it follows this RFC standard. I've not gotten much feedback from the team yet, so let's go with the 127 and we can always expand it later.

@scottf scottf merged commit a410cad into nats-io:main May 15, 2025
1 check passed
@scottf scottf mentioned this pull request May 15, 2025
Closed
@francoisprunier
Copy link
Contributor Author

francoisprunier commented May 23, 2025

Hi @scottf,

When do you plan on creating a release with this fix ? It's a blocking issue for us at the moment. Thanks!

@scottf
Copy link
Contributor

scottf commented May 23, 2025
edited
Loading

I'm waiting to merge another PR. You can use the 2.21.2-SNAPSHOT for now. Instructions are in the readme, but for gradle/maven you need the snapshot repo

Gradle

repositories {
    maven {
        url "https://central.sonatype.com/repository/maven-snapshots"
    }
}

Maven

<repositories>
    <repository>
        <id>sonatype snapshots</id>
        <url>https://central.sonatype.com/repository/maven-snapshots</url>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
</repositories>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scottf scottf scottf requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@francoisprunier @scottf