From 50c21f053d7502aacc1d37f00330414b74e52b7d Mon Sep 17 00:00:00 2001 From: Yuxuan Chen Date: Fri, 29 May 2026 15:54:49 -0400 Subject: [PATCH 1/2] Document HTTPClient header validation contract --- .../src/smithy_http/aio/interfaces/__init__.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py b/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py index 9c169c7c7..852ccebb2 100644 --- a/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py +++ b/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py @@ -64,7 +64,14 @@ def consume_body(self) -> bytes: class HTTPClient(ClientTransport[HTTPRequest, HTTPResponse], Protocol): - """An asynchronous HTTP client interface.""" + """An asynchronous HTTP client interface. + + Header field names and values are not validated before reaching this + layer. Implementations of ``HTTPClient`` are responsible for this + validation: if a request's fields contain characters prohibited by + the HTTP specifications (such as CR or LF), the request MUST be + rejected. + """ def __init__(self, *, client_config: HTTPClientConfiguration | None) -> None: """ From 4ba367ec612a9b85efa5af51a590c39efdc47b02 Mon Sep 17 00:00:00 2001 From: Yuxuan Chen Date: Tue, 2 Jun 2026 16:23:42 -0400 Subject: [PATCH 2/2] Cite RFC 9110 Section 5.5 in docstring --- .../src/smithy_http/aio/interfaces/__init__.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py b/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py index 852ccebb2..c2abf670f 100644 --- a/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py +++ b/packages/smithy-http/src/smithy_http/aio/interfaces/__init__.py @@ -67,10 +67,10 @@ class HTTPClient(ClientTransport[HTTPRequest, HTTPResponse], Protocol): """An asynchronous HTTP client interface. Header field names and values are not validated before reaching this - layer. Implementations of ``HTTPClient`` are responsible for this - validation: if a request's fields contain characters prohibited by - the HTTP specifications (such as CR or LF), the request MUST be - rejected. + layer. Implementations of ``HTTPClient`` are responsible for + validating and handling those invalid and dangerous characters (such + as CR, LF, or NUL) as defined in `RFC 9110, Section 5.5 + `_. """ def __init__(self, *, client_config: HTTPClientConfiguration | None) -> None: