Lack of Input Validation on Header Names and Values

[nitish-yaddala]

Description

The current implementation directly sets headers in both set_headers and set_headers_async by iterating over self.headers.items().

However, it assumes that header_name and header_value are sanitized and safe.
If any header value contains newline characters (\n or \r\n), it could lead to HTTP Response Splitting or Header Injection vulnerabilities.

This can potentially allow attackers to inject arbitrary headers or manipulate HTTP responses, leading to security risks such as cache poisoning, cross-site scripting (XSS), or session hijacking.

Affected Code

• set_header(header_name, header_value) — Line 247, Line 275, Line 278
• response.headers[header_name] = header_value — Line 251, Line 282

Recommendation

• Validate and sanitize both header_name and header_value before setting them.
• Explicitly reject or sanitize any newline (\n), carriage return (\r), or combined (\r\n) sequences.
• Enforce a safe, printable character set for header names and values (e.g., restrict to visible ASCII).
• Add explicit validation in the headers @cached_property during dictionary construction to prevent contaminated entries from being generated at source.