Don't use regex for HTTP header validation

julianbrost · julianbrost · commit 4f5f29532b4f · 2025-11-28T14:39:23.000+01:00
diff --git a/lib/remote/httputility.cpp b/lib/remote/httputility.cpp
@@ -8,7 +8,6 @@
 #include <string>
 #include <vector>
 #include <boost/beast/http.hpp>
-#include <boost/regex.hpp>
 
 using namespace icinga;
 
@@ -80,24 +79,6 @@ void HttpUtility::SendJsonError(HttpResponse& response,
 	HttpUtility::SendJsonBody(response, params, result);
 }
 
-/**
- * Regular expression for matching valid HTTP header names.
- *
- * Derived from the following syntax definition in RFC9110:
- *
- *     field-name = token
- *     token = 1*tchar
- *     tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
- *     ALPHA = %x41-5A / %x61-7A   ; A-Z / a-z
- *     DIGIT = %x30-39   ; 0-9
- *
- * References:
- * - https://datatracker.ietf.org/doc/html/rfc9110#section-5.1
- * - https://datatracker.ietf.org/doc/html/rfc9110#appendix-A
- * - https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
- */
-static const boost::regex l_HttpFieldNameRegex("[0-9A-Za-z!#$%&'*+\\-.^_`|~]+");
-
 /**
  * Check if the given string is suitable to be used as an HTTP header name.
  *
@@ -106,27 +87,33 @@ static const boost::regex l_HttpFieldNameRegex("[0-9A-Za-z!#$%&'*+\\-.^_`|~]+");
  */
 bool HttpUtility::IsValidHeaderName(std::string_view name)
 {
-	return boost::regex_match(name.begin(), name.end(), l_HttpFieldNameRegex);
+	/*
+	 * Derived from the following syntax definition in RFC9110:
+	 *
+	 *     field-name = token
+	 *     token = 1*tchar
+	 *     tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
+	 *     ALPHA = %x41-5A / %x61-7A   ; A-Z / a-z
+	 *     DIGIT = %x30-39   ; 0-9
+	 *
+	 * References:
+	 * - https://datatracker.ietf.org/doc/html/rfc9110#section-5.1
+	 * - https://datatracker.ietf.org/doc/html/rfc9110#appendix-A
+	 * - https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
+	 */
+
+	return !name.empty() && std::all_of(name.begin(), name.end(), [](char c) {
+		switch (c) {
+			case '!': case '#': case '$': case '%': case '&': case '\'': case '*': case '+':
+			case '-': case '.': case '^': case '_': case '`': case '|': case '~':
+				return true;
+			default:
+				return ('0' <= c && c <= '9') || ('A' <= c && c <= 'Z') || ('a' <= c && c <= 'z');
+		}
+
+	});
 }
 
-/**
- * Regular expression for matching valid HTTP header values.
- *
- * Derived from the following syntax definition in RFC9110:
- *
- *     field-value = *field-content
- *     field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) field-vchar ]
- *     field-vchar = VCHAR / obs-text
- *     obs-text = %x80-FF
- *     VCHAR = %x21-7E ; visible (printing) characters
- *
- * References:
- * - https://datatracker.ietf.org/doc/html/rfc9110#section-5.5
- * - https://datatracker.ietf.org/doc/html/rfc9110#appendix-A
- * - https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
- */
-static const boost::regex l_HttpFieldValueRegex(R"(([\x21-\x7e\x80-\xff](([ \t\x21-\x7e\x80-\xff]*)[\x21-\x7e\x80-\xff])?)*)");
-
 /**
  * Check if the given string is suitable to be used as an HTTP header value.
  *
@@ -135,5 +122,31 @@ static const boost::regex l_HttpFieldValueRegex(R"(([\x21-\x7e\x80-\xff](([ \t\x
  */
 bool HttpUtility::IsValidHeaderValue(std::string_view value)
 {
-	return boost::regex_match(value.begin(), value.end(), l_HttpFieldValueRegex);
+	/*
+	 * Derived from the following syntax definition in RFC9110:
+	 *
+	 *     field-value = *field-content
+	 *     field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) field-vchar ]
+	 *     field-vchar = VCHAR / obs-text
+	 *     obs-text = %x80-FF
+	 *     VCHAR = %x21-7E ; visible (printing) characters
+	 *
+	 * References:
+	 * - https://datatracker.ietf.org/doc/html/rfc9110#section-5.5
+	 * - https://datatracker.ietf.org/doc/html/rfc9110#appendix-A
+	 * - https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
+	 */
+
+	if (!value.empty()) {
+		// Must not start with space or tab.
+		for (char c : {*value.begin(), *value.rbegin()}) {
+			if (c == ' ' || c == '\t') {
+				return false;
+			}
+		}
+	}
+
+	return std::all_of(value.begin(), value.end(), [](char c) {
+		return c == ' ' || c == '\t' || ('\x21' <= c && c <= '\x7e') || ('\x80' <= c && c <= '\xff');
+	});
 }
