[HTTP] Stricter header value validation

[ManickaP]

Based on RFC:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters

• Adding '\0' to forbidden characters in header value.
• Making sure we follow the same rules in Cookie as well since that results in request headers.
• Added negative / positive tests for all handlers and types of headers
• WinHTTP already refuses bad characters, so no need to validate on our side, just improved the error from "Wrong parameter" --> "Request header must be valid Latin-1".

Changes here are up for discussion, this is just my opinionated solution to the problem.
cc @MihaZupan

[Copilot]

Pull Request Overview

This PR implements stricter validation for HTTP header values by rejecting header values containing CR, LF, or NUL characters, in accordance with RFC9110. It also improves related error messages and adds tests for the new validation rules.

• Updated header validation logic throughout the HTTP and Cookie handlers.
• Improved error messages with clearer, RFC-compliant text.
• Added both negative and positive tests covering various header types and dangerous characters.

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/libraries/System.Net.Primitives/src/System/Net/Cookie.cs	Added NUL character to reserved characters and updated value checks in cookies.
src/libraries/System.Net.Http/tests/UnitTests/Headers/HttpHeadersTest.cs	Extended tests with additional dangerous header values.
src/libraries/System.Net.Http/src/System/Net/Http/HttpRuleParser.cs	Updated new-line check to include NUL characters.
src/libraries/System.Net.Http/src/System/Net/Http/HttpResponseMessage.cs	Updated reason phrase validation to include NUL.
src/libraries/System.Net.Http/src/System/Net/Http/Headers/*.cs	Replaced calls to CheckContainsNewLine with calls that also check for NUL.
src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/*.cs	Adjusted WinHTTP header handling to throw more precise exceptions.
src/libraries/System.Net.Http.WinHttpHandler/src/Resources/Strings.resx	Updated error message resource to reflect validation of NUL characters.
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs	Added extensive tests for forbidden and valid header characters.

Comments suppressed due to low confidence (1)

src/libraries/System.Net.Http/src/System/Net/Http/Headers/HttpHeaders.cs:1130

• [nitpick] The method name 'ContainsNewLineOrNull' may be misleading since it does not return a boolean value but instead validates the header value by throwing an exception when a forbidden character is found. Consider renaming it to 'EnsureNoNewLineOrNul' or a similar name that better reflects its behavior.

internal static void ContainsNewLineOrNull(string? value)

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[MihaZupan]

I'm in favour of blocking null as you suggest.

Can you please also update the fuzzer to look for nulls?
https://github.com/dotnet/runtime/blob/main/src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/HttpHeadersFuzzer.cs

[ManickaP]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[ManickaP]

/ba-g unrelated and/or known issues