Closed
Description
Hi,
There is a problem with the content-type parsing that was introduced in #226 .
Bottle will accept things like "text/plain;application/json" as a json content type which might be used by an attacker to bypass security mechanisms.
For example Chrome will not allow cross-origin xmlhttprequests with the content type set to "application/json" but you can set it to "text/plain;application/json" instead and bottle will accept it.
Metadata
Metadata
Assignees
Labels
No labels