From c3c2cfb65d25619c7e08407b13750e566f047df6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 6 Jun 2026 17:27:52 +0200
Subject: [PATCH] http: reject spurious CR bytes in headers

Verified by test 2105

Closes #21882
---
 lib/http.c             |  8 +++++++
 tests/data/Makefile.am |  2 +-
 tests/data/test2105    | 49 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/test2105

diff --git a/lib/http.c b/lib/http.c
index e16d15a446..f8ca40b0a4 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3818,6 +3818,14 @@ static CURLcode verify_header(struct Curl_easy *data,
     failf(data, "Nul byte in header");
     return CURLE_WEIRD_SERVER_REPLY;
   }
+  if(hdlen > 2) {
+    ptr = memchr(hd, '\r', hdlen - 2);
+    if(ptr) {
+      /* CR may only precede the LF, nothing else */
+      failf(data, "Carriage return found in header");
+      return CURLE_WEIRD_SERVER_REPLY;
+    }
+  }
   if(k->headerline < 2)
     /* the first "header" is the status-line and it has no colon */
     return CURLE_OK;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index da4bdbfbce..f04cac6ea4 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -253,7 +253,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 test2070 test2071 \
 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
 test2088 test2089 test2090 test2091 test2092 \
-test2100 test2101 test2102 test2103 test2104 \
+test2100 test2101 test2102 test2103 test2104 test2105 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
 \
diff --git a/tests/data/test2105 b/tests/data/test2105
new file mode 100644
index 0000000000..8bd26caff1
--- /dev/null
+++ b/tests/data/test2105
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers" nocheck="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/%CRfake
+Content-Length: 6
+Funny-head: yesyes
+
+-foo-
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+HTTP with spurious CR in received header
+</name>
+<command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+8
+</errorcode>
+</verify>
+</testcase>