From b46307203267a7c15c86190a53877703945f8d56 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 26 May 2026 13:49:49 +0200
Subject: [PATCH] BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP
 headers

hlua_http_add_hdr() passes Lua string values directly to htx_add_header()
without validation. This can be an issue for user-controlled data, but as
well when relying on poorly written scripts. This patch makes sure that
neither the name nor the value may contain any of these forbidden chars.

This should be backported to all versions since the issue has been there
since at least 2.4.
---
 src/hlua.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/hlua.c b/src/hlua.c
index b87b587e4..2e06fffa5 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -6709,6 +6709,20 @@ __LJMP static inline int hlua_http_add_hdr(lua_State *L, struct http_msg *msg)
 	size_t value_len;
 	const char *value = MAY_LJMP(luaL_checklstring(L, 3, &value_len));
 	struct htx *htx = htxbuf(&msg->chn->buf);
+	size_t i;
+
+	/* Reject header values containing CR/LF/NUL to prevent HTTP header
+	 * injection on HTTP/1 output.
+	 */
+	for (i = 0; i < name_len; i++) {
+		if (name[i] == 0 || name[i] == '\r' || name[i] == '\n')
+			WILL_LJMP(lua_error(L));
+	}
+
+	for (i = 0; i < value_len; i++) {
+		if (value[i] == 0 || value[i] == '\r' || value[i] == '\n')
+			WILL_LJMP(lua_error(L));
+	}
 
 	lua_pushboolean(L, http_add_header(htx, ist2(name, name_len),
 					   ist2(value, value_len), 1));