From 62b118cf22d88d8d3962d41fd6757e635c70b166 Mon Sep 17 00:00:00 2001
From: alhudz <al.hudz.k@gmail.com>
Date: Tue, 9 Jun 2026 16:26:14 +0530
Subject: [PATCH] http-proxy: verify CONNECT response headers

Verifed by test 2107

Closes #21927
---
 lib/cf-h1-proxy.c      |  6 ++++++
 tests/data/Makefile.am |  2 +-
 tests/data/test2107    | 49 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/test2107

diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c
index f7974a9931..21ac6da293 100644
--- a/lib/cf-h1-proxy.c
+++ b/lib/cf-h1-proxy.c
@@ -476,6 +476,12 @@ static CURLcode single_header(struct Curl_cfilter *cf,
   /* output debug if that is requested */
   Curl_debug(data, CURLINFO_HEADER_IN, linep, line_len);
 
+  /* a CONNECT response line is handed to the client as a header, so it must
+     pass the same checks as a regular response header before delivery */
+  result = Curl_verify_header(data, linep, line_len);
+  if(result)
+    return result;
+
   /* send the header to the callback */
   writetype = CLIENTWRITE_HEADER | CLIENTWRITE_CONNECT |
     (ts->headerlines == 1 ? CLIENTWRITE_STATUS : 0);
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 413f7a1143..a7c293cb20 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -253,7 +253,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 test2070 test2071 \
 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
 test2088 test2089 test2090 test2091 test2092 \
-test2100 test2101 test2102 test2103 test2104 test2105 test2106 \
+test2100 test2101 test2102 test2103 test2104 test2105 test2106 test2107 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
 \
diff --git a/tests/data/test2107 b/tests/data/test2107
new file mode 100644
index 0000000000..8c44044109
--- /dev/null
+++ b/tests/data/test2107
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP CONNECT
+HTTP proxy
+proxytunnel
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Content-Length: 0
+
+</data>
+<connect nocheck="yes">
+HTTP/1.1 200 OK%CR
+X-Evil: he%hex[%00]hex%llo%CR
+%CR
+</connect>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+http-proxy
+</server>
+<features>
+proxy
+</features>
+<name>
+HTTP CONNECT response with a nul byte in a header
+</name>
+<command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -p -x http://%HOSTIP:%PROXYPORT
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+8
+</errorcode>
+</verify>
+</testcase>