http: reject control characters in http.request()
First commit:
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception.
Second commit:
The first commit is the result of nodejs-security@ discussion but I had a change of heart. I can't see any reasonable use case for allowing control characters (characters <= 31) but I can think of several scenarios where they can be used to exploit software bugs so let's ban them altogether.
There is a a potential compatibility issue in that tabs in paths have been observed in the wild, but, to the best of my knowledge, only in requests from buggy HTTP clients. Here too I don't see a reason to allow them in requests that node.js initiates.
@nodejs/http @nodejs/security