Details
-
Improvement
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
Not Needed
Description
libmongocrypt should follow the HTTP/1.1 spec and use CRLF newlines instead of LF:
Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.
While currently the servers it communicates with may not make use of the fact that this is merely a "MAY" requirement that they can disregard, libmongocrypt should be future-proof and anticipate that servers could reject LF as a single line terminator in the future.
Node.js just started doing so, with the effect of breaking the mongosh test suite for libmongocrypt requests, citing CVE-2022-32213 (details not yet available at time of writing) as the reason.
Attachments
Issue Links
- causes
-
PYTHON-3384 CSFLE test failure on Windows: Error in KMS response. HTTP status=400
-
- Closed
-
- is duplicated by
-
MONGOCRYPT-454 Include carriage return in HTTP requests
-
- Closed
-