From 48dec2dce95fc156c9bff26380a79b3592f91d09 Mon Sep 17 00:00:00 2001
From: David Marek <damarek@microsoft.com>
Date: Thu, 25 Mar 2021 20:51:16 +0100
Subject: [PATCH] Validate header value

Kestrel server doesn't allow non-ascii characters in header values.
It throws InvalidOperationException if a header value contains non-ascii char.
---
 OCP.Msal.Proxy.Web/Controllers/AuthController.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/OCP.Msal.Proxy.Web/Controllers/AuthController.cs b/OCP.Msal.Proxy.Web/Controllers/AuthController.cs
index f7c26e6..7eee7c0 100644
--- a/OCP.Msal.Proxy.Web/Controllers/AuthController.cs
+++ b/OCP.Msal.Proxy.Web/Controllers/AuthController.cs
@@ -108,8 +108,13 @@ internal static void AddResponseHeadersFromClaims(IEnumerable<Claim> claims, IHe
                 var claimName = claim.Type;
                 if (claimName.Contains("/")) claimName = claimName.Split('/')[claimName.Split('/').Length - 1];
                 var name = $"X-Injected-{claimName}";
-                if (!headers.ContainsKey(name)) headers.Add(name, claim.Value);
+                if (!headers.ContainsKey(name) && IsValidHeaderValue(claim.Value)) headers.Add(name, claim.Value);
             }
         }
+
+        internal static bool IsValidHeaderValue(string value)
+        {
+            return value.All(c => c >= 32 && c < 127);
+        }
     }
 }
\ No newline at end of file