[Ruby - net/http] HTTP Header Injection in the set_content_type method

We discussed this vulnerability during Episode 117 on 07 February 2022

Maybe an issue, maybe not; the Ruby devs seem to think its a non-issue. This is a case of a library allowing some questionable input. The net/http library provides a set_content_type which takes in the mimetype and a dictionary. The dictionary is just joined and reflected in the final content-type header as a key=value string. An attacker who can control input to that dictionary can include new line characters and inject their own request headers.

This is a significant restriction for an attacker to be sure, however it also makes little sense for Ruby to include newline character at all even if they are passed in. While an actual vulnerability using this is probably a rare situation. It is a bit of a quirk that might pop-up somewhere.