Support of \r\n characters in HTTP Headers as per HTTP 1.1 as per RFC 2616 sec 2.2

[praveensri]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

The library breaks the scenario if HTTP headers uses the CRLF characters in the header. It is common in MIME transfer
"Content-Type": "multipart/report;\r\n\treport-type="disposition-notification";\r\n\tboundary="d9f60885-8cd2-4516-bc47-858c3c14d2aa""
The above content type is valid as per RFC
We addressed \t characters in the following PR but not other control characters US-ASCII (10 and 13)
#40633

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[MihaZupan]

Notably such values in headers aren't interpreted as new lines, but as regular spaces, so a workaround of replacing these characters with spaces is valid.

As far as actually sending such characters over the wire, note that RFC 2616 was superseded by RFC 7230 (2014), which was in turn superseeded by RFC 9112.
Both call the feature "obsolete" and warn against using it:

A sender MUST NOT generate a message that includes line folding (i.e., that has any field line value that contains a match to the obs-fold rule) unless the message is intended for packaging within the "message/http" media type.

[praveensri]

Adding @rama Krishna ***@***.***> From: Miha Zupan ***@***.***> Sent: 14 April 2025 16:10 To: dotnet/aspnetcore ***@***.***> Cc: Author ***@***.***> Subject: Re: [dotnet/aspnetcore] Support of \r\n characters in HTTP Headers as per HTTP 1.1 as per RFC 2616 sec 2.2 (Issue #61472) Notably such values in headers aren't interpreted as new lines, but as regular spaces, so a workaround of replacing these characters with spaces is valid. As far as actually sending such characters over the wire, note that RFC 2616 was superseded by RFC 7230<https://datatracker.ietf.org/doc/html/rfc7230#:~:text=A%20sender%20MUST%20NOT%20generate%20a%20message%20that%20includes%0A%20%20%20line%20folding> (2014), which was in turn superseeded by RFC 9112<https://www.rfc-editor.org/rfc/rfc9112.html#section-5.2>. Both call the feature "obsolete" and warn against using it: A sender MUST NOT generate a message that includes line folding (i.e., that has any field line value that contains a match to the obs-fold<https://www.rfc-editor.org/rfc/rfc9112.html#line.folding> rule) unless the message is intended for packaging within the "message/http" media type. - Reply to this email directly, view it on GitHub<#61472 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSHUFETQPXKNN74ESCYWF32ZOF73BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2TKNZSGQZTCMZQGOSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBRG43DEMBTGQ3YFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDSOJQHE2DMNRVG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGU2TOMRUGMYTGMBTU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.