id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1435	NGINX allows sending of a malformed header per RFC7540 Section 10.3	saeohioalpha@…		"NGINX allows a header to be sent containing CRLF. At the moment Firefox crashes out when receiving them, and Chrome allows, and parses, the malformed header. There is currently a bug submitted to Chrome to fix this behavior. 

This centers around the following:

   While most of the values that can be encoded will not alter header
   field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII
   0xa), and the zero character (NUL, ASCII 0x0) might be exploited by
   an attacker if they are translated verbatim.  Any request or response
   that contains a character not permitted in a header field value MUST
   be treated as malformed (Section 8.1.2.6).  Valid characters are
   defined by the ""field-content"" ABNF rule in Section 3.2 of [RFC7230].

This was discovered when using a multi-line CSP policy for my readability & ease of editing in an NGINX config. The multi-line CSP would cause FF to fail without notice. Chrome, however, would parse and apply the CSP correctly. Through research, it was found that this was the opposite behavior required per RFC7540 Section 10.3. The FireFox team suggested I submit a report to NGINX with this information. 

Original Firefox bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1411659)
Subsequent Chromium bug report (https://bugs.chromium.org/p/chromium/issues/detail?id=787581)

A testing page can be found with the malformed CSP header at ( https://discinsights.com/csp-test.html ).
 "	defect	closed	minor		other	1.13.x	wontfix			Linux web02 4.9.50-x86_64-linode86 #1 SMP Thu Sep 14 19:28:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.13.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --with-openssl=/root/openssl-1.1.0f/ --add-module=/root/ngx_pagespeed-1.12.34.3-stable --prefix=/opt/nginx --with-http_ssl_module --with-http_slice_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --with-http_sub_module --with-http_stub_status_module --with-http_flv_module --with-http_xslt_module --with-http_image_filter_module --with-mail --with-mail_ssl_module --with-http_mp4_module --with-http_v2_module"