HttpRequestMessage.Headers.Add should validate the header value

[drauch]

As a security protection it would be nice if HttpRequestMessage.Headers.Add would check whether the value contains new lines. If you are allowing your users to send a certain header value, many people probably don't think about the following attack vector:

var headerValue = "<user-input>";
httpRequestMessage.Headers.Add("x-my-header", headerValue);

// user-input == "test\nx-other-header=value" // whoups

What do you think?

Best regards,
D.R.

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

As a security protection it would be nice if HttpRequestMessage.Headers.Add would check whether the value contains new lines. If you are allowing your users to send a certain header value, many people probably don't think about the following attack vector:

var headerValue = "<user-input>";
httpRequestMessage.Headers.Add("x-my-header", headerValue);

// user-input == "test\nx-other-header=value" // whoups

What do you think?

Best regards,
D.R.

Author:	drauch
Assignees:	-
Labels:	area-System.Net.Http, untriaged
Milestone:	-

[MihaZupan]

We added more strict new-line validation in #53505 that also addresses concerns raised here.
Thanks for raising the issue and please let us know if you have other concerns around headers.