nodejs
diff --git a/Collapse file
‎lib/_http_server.js‎
Copy file name to clipboardExpand all lines: lib/_http_server.js
+10-1Lines changed: 10 additions & 1 deletion b/Collapse file
‎lib/_http_server.js‎
Copy file name to clipboardExpand all lines: lib/_http_server.js
+10-1Lines changed: 10 additions & 1 deletion
diff --git a/Collapse file
‎lib/internal/validators.js‎
Copy file name to clipboardExpand all lines: lib/internal/validators.js
+1-1Lines changed: 1 addition & 1 deletion b/Collapse file
‎lib/internal/validators.js‎
Copy file name to clipboardExpand all lines: lib/internal/validators.js
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/Collapse file
‎test/parallel/test-http-early-hints-invalid-argument.js‎
Copy file name to clipboardExpand all lines: test/parallel/test-http-early-hints-invalid-argument.js
+41Lines changed: 41 additions & 0 deletions b/Collapse file
‎test/parallel/test-http-early-hints-invalid-argument.js‎
Copy file name to clipboardExpand all lines: test/parallel/test-http-early-hints-invalid-argument.js
+41Lines changed: 41 additions & 0 deletions
@@ -53,6 +53,8 @@ const {
   kUniqueHeaders,
   parseUniqueHeadersOption,
   OutgoingMessage,
+  validateHeaderName,
+  validateHeaderValue,
 } = require('_http_outgoing');
 const {
   kOutHeaders,
@@ -330,13 +332,20 @@ ServerResponse.prototype.writeEarlyHints = function writeEarlyHints(hints, cb) {
     return;
   }
 
+  if (checkInvalidHeaderChar(link)) {
+    throw new ERR_INVALID_CHAR('header content', 'Link');
+  }
+
   head += 'Link: ' + link + '\r\n';
 
   const keys = ObjectKeys(hints);
   for (let i = 0; i < keys.length; i++) {
     const key = keys[i];
     if (key !== 'link') {
-      head += key + ': ' + hints[key] + '\r\n';
+      validateHeaderName(key);
+      const value = hints[key];
+      validateHeaderValue(key, value);
+      head += key + ': ' + value + '\r\n';
     }
   }
 
 
@@ -509,7 +509,7 @@ function validateUnion(value, name, union) {
   (not necessarily a valid URI reference) followed by zero or more
   link-params separated by semicolons.
 */
-const linkValueRegExp = /^(?:<[^>]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;
+const linkValueRegExp = /^(?:<[^>\r\n]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;
 
 /**
  * @param {any} value
 
@@ -47,3 +47,44 @@ const testResBody = 'response content\n';
     req.on('information', common.mustNotCall());
   }));
 }
+
+{
+  const server = http.createServer(common.mustCall((req, res) => {
+    debug('Server sending early hints with CRLF injection...');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        'link': '</styles.css>; rel=preload; as=style',
+        'X-Custom': 'valid\r\nSet-Cookie: session=evil',
+      });
+    }, (err) => err.code === 'ERR_INVALID_CHAR');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        'link': '</styles.css>; rel=preload; as=style',
+        'X-Custom\r\nSet-Cookie: session=evil': 'value',
+      });
+    }, (err) => err.code === 'ERR_INVALID_HTTP_TOKEN');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        link: '</styles.css\r\nSet-Cookie: session=evil>; rel=preload; as=style',
+      });
+    }, (err) => err.code === 'ERR_INVALID_ARG_VALUE');
+
+    debug('Server sending full response...');
+    res.end(testResBody);
+    server.close();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    const req = http.request({
+      port: server.address().port, path: '/'
+    });
+
+    req.end();
+    debug('Client sending request...');
+
+    req.on('information', common.mustNotCall());
+  }));
+}