Skip to content

Add advisory for http-types: violated ASCII invariants#2923

Merged
djc merged 2 commits into
rustsec:mainfrom
yilin0518:http-types
Jun 8, 2026
Merged

Add advisory for http-types: violated ASCII invariants#2923
djc merged 2 commits into
rustsec:mainfrom
yilin0518:http-types

Conversation

@yilin0518

Copy link
Copy Markdown
Contributor

Affected crate(s)

  • http-types(5,354,945downloads per crates.io)

Links to upstream issue(s) or PR(s)

Severity

Soundness issue: safe parsing bypasses the DNSKEY RDATA 16-bit length invariant, allowing construction of invalid records and violating new_unchecked safety preconditions, which can undermine memory safety assumptions.

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

This repo is active, but the issue has no reply for more than two months. Although this crate has published new version, the ths same soundness issues exist.

@djc

djc commented Jun 1, 2026

Copy link
Copy Markdown
Member

Pinged in the upstream issue. Feel free to ping me again if there's been no response in 4 weeks.

(Looks like the "Severity" section contains a copy/pasta error.)

@djc djc mentioned this pull request Jun 4, 2026
4 tasks
Comment thread crates/http-types/RUSTSEC-0000-0000.md Outdated
This issue has not been confirmed as Undefined Behavior, but the unsafe
justification in `Authorization::value` and `WwwAuthenticate::value` appears incorrect and can produce values outside the expected ASCII-only constraints.

## Example

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's drop the example.

Comment thread crates/http-types/RUSTSEC-0000-0000.md Outdated
Removed details about an unpatched issue and example code from the RUSTSEC-0000-0000.md file, indicating the crate is unmaintained.
@yilin0518

Copy link
Copy Markdown
Contributor Author

@djc Thank you for your feedback! I have modified the rustsec markdown.

@djc djc merged commit fc7c781 into rustsec:main Jun 8, 2026
1 check passed
@djc

djc commented Jun 8, 2026

Copy link
Copy Markdown
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants