curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection

## Summary: Hello, Actually, this bug was found unexpectedly during some security audits on a private asset, we found some differences on how burp proxy/python's requests library handles the asset's HTTP responses on a certain endpoint and how curl handles the same HTTP responses, the bug arises when curl treats `%0c and %0b sequences` literally regardless how web servers respond to these characters, the mentioned asset was well-protected against CRLF injections as we didn't had success to inject headers/cookies using the known `%0a%0b` sequence, curl also didn't respond to our payloads as we hope, however, we tried using other non-printable characters, curl unexpectedly responded to our request using `%0c` with the following response: ``` gk@GKs-MacBook-Air ~ % curl "https://private.asset:8100/sap/public/bc/icf/logoff?redirecturl=//google.com/%0cX-Injected-Header:%20test" -I HTTP/1.1 302 Moved temporarily content-type: text/html; charset=utf-8 content-length: 17 location: //google.com/ X-Injected-Header: test ``` using `%0c%0b` sequences: ``` gk@GKs-MacBook-Air ~ % curl "https://private.asset:8100/sap/public/bc/icf/logoff?redirecturl=//google.com/%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%08%0cX-Header-Injection:%20test" -I HTTP/1.1 302 Moved temporarily content-type: text/html; charset=utf-8 content-length: 17 location: //google.com/ X-Header-Injection: test ``` While Burp responded differently: {F3784008} Python's requests library responded also differently: {F3784007} Even a random HTTP response viewer service on the public internet responded differently: {F3784006} We found that you resolved the main CRLF issue (with %0a%0d) since 2012 with assigning [CVE-2012-0036](https://curl.se/docs/CVE-2012-0036.html) to the security advisory published on your docs, **but** we think that our report describes a bug that makes CRLF indirectly possible again, with the high support for curl implementations in the most commonly used programming languages; the mentioned behavior could make some confusion when receiving HTTP responses from curl leading to unsafe CRLF treatment and thus allowing Headers/Cookies Injection. ## Impact CRLF confusions, Header Injection, Cookie Injection. Regards, Moaad (@mdakh404), Abdelkarim (@mchklt)