TASK-010: review-pass fixes (security: WWW-Authenticate header injection)

etr · claude · etr · commit e99786686cdd · 2026-05-03T20:43:57.000+02:00
http_response::unauthorized() now rejects scheme/realm values containing
CR, LF, or NUL with std::invalid_argument (CWE-113), and escapes
embedded double-quote characters in realm per RFC 7235 §2.1
quoted-string rules (CWE-116). Without these guards a caller passing
attacker-influenced input through scheme or realm could splice
additional headers into the response or produce a malformed
WWW-Authenticate value that downstream parsers misinterpret.

Tests: 8 new LT_BEGIN_AUTO_TESTs covering CR / LF / CRLF / NUL in both
scheme and realm, plus a quote-escape test asserting the
backslash-escaped form `Basic realm="foo\"bar"`. All factories suite
tests pass locally; cpplint clean.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/http_response.cpp b/src/http_response.cpp
@@ -31,6 +31,7 @@
 #include <map>
 #include <new>
 #include <span>
+#include <stdexcept>
 #include <string>
 #include <string_view>
 #include <type_traits>
@@ -315,15 +316,46 @@ http_response http_response::deferred(
 http_response http_response::unauthorized(std::string_view scheme,
                                           std::string_view realm,
                                           std::string body) {
+    // Security: reject scheme or realm values containing CR, LF, or NUL.
+    // Any of these characters can be used to inject additional HTTP headers
+    // into the WWW-Authenticate response header (CWE-113). This is always a
+    // caller error — callers must never pass untrusted user input as scheme
+    // or realm without first validating it. Throw std::invalid_argument so
+    // the error is visible and cannot be silently swallowed.
+    static constexpr std::string_view kForbidden("\r\n\0", 3);
+    if (scheme.find_first_of(kForbidden) != std::string_view::npos) {
+        throw std::invalid_argument(
+            "http_response::unauthorized: scheme contains forbidden control "
+            "character (CR, LF, or NUL)");
+    }
+    if (realm.find_first_of(kForbidden) != std::string_view::npos) {
+        throw std::invalid_argument(
+            "http_response::unauthorized: realm contains forbidden control "
+            "character (CR, LF, or NUL)");
+    }
+
+    // Security: escape double-quote characters inside realm per RFC 7235
+    // §2.1 quoted-string rules. An unescaped " terminates the quoted-string
+    // early, producing syntactically invalid header values that some parsers
+    // misinterpret (CWE-116).
+    std::string escaped_realm;
+    escaped_realm.reserve(realm.size());
+    for (char c : realm) {
+        if (c == '"') {
+            escaped_realm.push_back('\\');
+        }
+        escaped_realm.push_back(c);
+    }
+
     http_response r;
     r.status_code_ = http::http_utils::http_unauthorized;        // 401
-    // Build `<scheme> realm="<realm>"`. AC #3 requires byte-for-byte
-    // `Basic realm="myrealm"` for the canonical case.
+    // Build `<scheme> realm="<escaped_realm>"`. AC #3 requires byte-for-byte
+    // `Basic realm="myrealm"` for the canonical case (which has no quotes).
     std::string challenge;
-    challenge.reserve(scheme.size() + realm.size() + 10);
+    challenge.reserve(scheme.size() + escaped_realm.size() + 10);
     challenge.append(scheme.data(), scheme.size());
     challenge.append(" realm=\"", 8);
-    challenge.append(realm.data(), realm.size());
+    challenge.append(escaped_realm);
     challenge.push_back('"');
     r.with_header(http::http_utils::http_header_www_authenticate,
                   challenge);
diff --git a/test/unit/http_response_factories_test.cpp b/test/unit/http_response_factories_test.cpp
@@ -51,6 +51,7 @@
 #include <cstdint>
 #include <functional>
 #include <memory>
+#include <stdexcept>
 #include <string>
 #include <type_traits>
 #include <utility>
@@ -301,6 +302,121 @@ LT_BEGIN_AUTO_TEST(http_response_factories_suite,
     LT_CHECK_EQ(r.get_response_code(), 401);
 LT_END_AUTO_TEST(unauthorized_with_explicit_body)
 
+// -----------------------------------------------------------------------
+// unauthorized() — header injection validation (security-reviewer-iter1-1,
+// security-reviewer-iter1-2). CRLF sequences in scheme or realm must be
+// rejected (std::invalid_argument) to prevent header injection (CWE-113).
+// Double-quotes embedded in realm must be escaped per RFC 7235 §2.1
+// (backslash-escape) so the quoted-string is syntactically valid.
+// -----------------------------------------------------------------------
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_crlf_in_scheme_throws)
+    // CRLF in scheme must throw — caller error, not a runtime failure.
+    bool caught = false;
+    try {
+        auto r = http_response::unauthorized("Basic\r\nX-Injected: hdr",
+                                             "myrealm");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_crlf_in_scheme_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_lf_in_scheme_throws)
+    bool caught = false;
+    try {
+        auto r = http_response::unauthorized("Basic\nEvil: hdr", "myrealm");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_lf_in_scheme_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_cr_in_scheme_throws)
+    bool caught = false;
+    try {
+        auto r = http_response::unauthorized("Basic\r", "myrealm");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_cr_in_scheme_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_nul_in_scheme_throws)
+    // NUL in scheme is equally dangerous — reject it.
+    bool caught = false;
+    try {
+        std::string s("Basic");
+        s.push_back('\0');
+        s += "evil";
+        auto r = http_response::unauthorized(std::string_view(s.data(),
+                                                               s.size()),
+                                             "myrealm");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_nul_in_scheme_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_crlf_in_realm_throws)
+    bool caught = false;
+    try {
+        auto r = http_response::unauthorized(
+            "Basic", "evil\r\nX-Injected: hdr");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_crlf_in_realm_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_lf_in_realm_throws)
+    bool caught = false;
+    try {
+        auto r = http_response::unauthorized("Basic", "evil\nMore: hdr");
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_lf_in_realm_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_nul_in_realm_throws)
+    bool caught = false;
+    try {
+        std::string realm("my");
+        realm.push_back('\0');
+        realm += "realm";
+        auto r = http_response::unauthorized(
+            "Basic", std::string_view(realm.data(), realm.size()));
+        (void)r;
+    } catch (const std::invalid_argument&) {
+        caught = true;
+    }
+    LT_CHECK_EQ(caught, true);
+LT_END_AUTO_TEST(unauthorized_nul_in_realm_throws)
+
+LT_BEGIN_AUTO_TEST(http_response_factories_suite,
+                   unauthorized_double_quote_in_realm_is_escaped)
+    // RFC 7235 §2.1: double-quotes inside a quoted-string must be
+    // backslash-escaped.  realm=foo"bar must produce
+    // WWW-Authenticate: Basic realm="foo\"bar"
+    auto r = http_response::unauthorized("Basic", R"(foo"bar)");
+    LT_CHECK_EQ(
+        r.get_header(httpserver::http::http_utils::http_header_www_authenticate),
+        std::string(R"(Basic realm="foo\"bar")"));
+LT_END_AUTO_TEST(unauthorized_double_quote_in_realm_is_escaped)
+
 // -----------------------------------------------------------------------
 // Move smoke: factory results survive being returned from a function.
 // Protects against a future regression of the noexcept move ctor.
