From 8b37e7ea1e58e36c97852f79ec121947a1ffea08 Mon Sep 17 00:00:00 2001 From: Udo Date: Thu, 21 May 2026 10:19:43 +0000 Subject: [PATCH] Fix direct HTTP status sanitizer fallback --- src/lib/uri.cpp | 8 +++++--- tests/plugins/uce_security_smoke.py | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/lib/uri.cpp b/src/lib/uri.cpp index e939de5..d9cba38 100644 --- a/src/lib/uri.cpp +++ b/src/lib/uri.cpp @@ -291,9 +291,11 @@ bool http_set_cookie_header_valid(String header) String http_status_line_clean(String status_line) { - if(status_line.find('\r') != String::npos || status_line.find('\n') != String::npos) - return("Status: 500 Internal Server Error"); - return(status_line); + if(status_line.find('\r') == String::npos && status_line.find('\n') == String::npos) + return(status_line); + if(str_starts_with(status_line, "HTTP/")) + return("HTTP/1.1 500 Internal Server Error"); + return("Status: 500 Internal Server Error"); } namespace { diff --git a/tests/plugins/uce_security_smoke.py b/tests/plugins/uce_security_smoke.py index c0ba6e9..17e70b8 100644 --- a/tests/plugins/uce_security_smoke.py +++ b/tests/plugins/uce_security_smoke.py @@ -58,6 +58,9 @@ def register(registry): location = response.headers.get("Location", "") if "\r" in location or "\n" in location: raise TestFailure("Location header contains raw CR/LF") + status, direct_headers, direct_body = _direct_http_request("/site/tests/security_headers.uce") + if status >= 500 and "security header sanitizer test" not in direct_body: + raise TestFailure("direct HTTP sanitizer test did not render successfully; status=%s" % status) return "CRLF response header injection was sanitized" def unknown_session_id_is_not_adopted(context):