From c40245ca4501c8007eb2eb0d5048943a1c15e6b8 Mon Sep 17 00:00:00 2001
From: Christian Schmidt <github@chsc.dk>
Date: Sat, 3 Aug 2024 15:15:44 +0200
Subject: [PATCH] Prevent header injection attacks

---
 lib/em-http/http_connection_options.rb |  1 +
 spec/client_spec.rb                    | 36 +++++++++++++++++++++++---
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/lib/em-http/http_connection_options.rb b/lib/em-http/http_connection_options.rb
index 0cfd7756..2cab523c 100644
--- a/lib/em-http/http_connection_options.rb
+++ b/lib/em-http/http_connection_options.rb
@@ -18,6 +18,7 @@ def initialize(uri, options)
     end
 
     uri = uri.kind_of?(Addressable::URI) ? uri : Addressable::URI::parse(uri.to_s)
+    raise Addressable::URI::InvalidURIError if uri.to_s =~ /\s/
     @https = uri.scheme == "https"
     uri.port ||= (@https ? 443 : 80)
     @tls[:sni_hostname] = uri.hostname
diff --git a/spec/client_spec.rb b/spec/client_spec.rb
index c8bfe456..cf7d7579 100644
--- a/spec/client_spec.rb
+++ b/spec/client_spec.rb
@@ -50,10 +50,40 @@ def failed(http=nil)
   it "should raise error on invalid URL" do
     EventMachine.run {
       lambda {
-      EventMachine::HttpRequest.new('random?text').get
-    }.should raise_error(Addressable::URI::InvalidURIError)
+        EventMachine::HttpRequest.new('random?text').get
+      }.should raise_error(Addressable::URI::InvalidURIError)
 
-    EM.stop
+      EM.stop
+    }
+  end
+
+  it "should raise error on invalid URL containing spaces in path" do
+    EventMachine.run {
+      lambda {
+        EventMachine::HttpRequest.new('http://127.0.0.1:8090/path with space').get
+      }.should raise_error(Addressable::URI::InvalidURIError)
+
+      EM.stop
+    }
+  end
+
+  it "should raise error on invalid URL containing newlines in path" do
+    EventMachine.run {
+      lambda {
+        EventMachine::HttpRequest.new("http://127.0.0.1:8090/path\nwith\nnewlines").get
+      }.should raise_error(Addressable::URI::InvalidURIError)
+
+      EM.stop
+    }
+  end
+
+  it "should raise error on invalid URL containing spaces in query" do
+    EventMachine.run {
+      lambda {
+        EventMachine::HttpRequest.new('http://127.0.0.1:8090/?query=with space').get
+      }.should raise_error(Addressable::URI::InvalidURIError)
+
+      EM.stop
     }
   end