Don't interpret embeded NULLs in a response header line as a line terminator.

net/http/http_response_headers.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // The rules for header parsing were borrowed from Firefox:
 // http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpResponseHead.cpp
 // The rules for parsing content-types were also borrowed from Firefox:
 // http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#834
 
 #include "net/http/http_response_headers.h"
@@ skipping 96 matching lines @@
   return codes;
 }
 
 int MapHttpResponseCode(int code) {
   if (HISTOGRAM_MIN_HTTP_RESPONSE_CODE <= code &&
       code <= HISTOGRAM_MAX_HTTP_RESPONSE_CODE)
     return code;
   return 0;
 }
 
+void CheckDoesNotHaveEmbededNulls(const std::string& str) {
+  // Care needs to be taken when adding values to the raw headers string to
+  // make sure it does not contain embeded NULLs. Any embeded '\0' may be
+  // understood as line terminators and change how header lines get tokenized.
+  CHECK(str.find('\0') == std::string::npos);
+}
+
 }  // namespace
 
 struct HttpResponseHeaders::ParsedHeader {
   // A header "continuation" contains only a subsequent value for the
   // preceding header.  (Header values are comma separated.)
   bool is_continuation() const { return name_begin == name_end; }
 
   std::string::const_iterator name_begin;
   std::string::const_iterator name_end;
   std::string::const_iterator value_begin;
@@ skipping 166 matching lines @@
   new_raw_headers.push_back('\0');
 
   std::string lowercase_name(name);
   StringToLowerASCII(&lowercase_name);
   HeaderSet to_remove;
   to_remove.insert(lowercase_name);
   MergeWithHeaders(new_raw_headers, to_remove);
 }
 
 void HttpResponseHeaders::AddHeader(const std::string& header) {
+  CheckDoesNotHaveEmbededNulls(header);
   DCHECK_EQ('\0', raw_headers_[raw_headers_.size() - 2]);
   DCHECK_EQ('\0', raw_headers_[raw_headers_.size() - 1]);
   // Don't copy the last null.
   std::string new_raw_headers(raw_headers_, 0, raw_headers_.size() - 1);
   new_raw_headers.append(header);
   new_raw_headers.push_back('\0');
   new_raw_headers.push_back('\0');
 
   // Make this object hold the new data.
   raw_headers_.clear();
   parsed_.clear();
   Parse(new_raw_headers);
 }
 
 void HttpResponseHeaders::ReplaceStatusLine(const std::string& new_status) {
+  CheckDoesNotHaveEmbededNulls(new_status);
   // Copy up to the null byte.  This just copies the status line.
   std::string new_raw_headers(new_status);
   new_raw_headers.push_back('\0');
 
   HeaderSet empty_to_remove;
   MergeWithHeaders(new_raw_headers, empty_to_remove);
 }
 
 void HttpResponseHeaders::Parse(const std::string& raw_input) {
   raw_headers_.reserve(raw_input.size());
@@ skipping 903 matching lines @@
   // We have all the values; let's verify that they make sense for a 206
   // response.
   if (*first_byte_position < 0 || *last_byte_position < 0 ||
       *instance_length < 0 || *instance_length - 1 < *last_byte_position)
     return false;
 
   return true;
 }
 
 }  // namespace net