New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SWAT-20: Remove header injection vulnerability on redirect #18
SWAT-20: Remove header injection vulnerability on redirect #18
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why that large chunk is reporting as changed. Other than that, it looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh and the version needs to be updated.
Probably converting between tabs and spaces. |
|
@lieutdan13 @CaleHarter apparently there's a trailing white space at the end of all those lines that PyCharm removed. |
There was a Header Injection issue (remember HTTP is a text protocol and new lines matter). Basically you could inject a header or even the text with certain parameters. Typically, this failed on redirects because of the location header. We now throw an exception if the redirect url includes a new line or carriage return. Neither of these are valid (though you can presumably escape them).
8b58551
to
f68bbab
Compare
There was a Header Injection issue (remember HTTP is a text protocol and new
lines matter). Basically you could inject a header or even the text with
certain parameters. Typically, this failed on redirects because of the location
header. We now throw an exception if the redirect url includes a new line or
carriage return. Neither of these are valid (though you can presumably escape
them).