You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently HttpClientRequest and HttpServerResponse don't check wether header name or value contain \r or \n chars. Of course developers are fully responsible for http headers set and
such incorrect value is likely unintended. Forbidding it prevents HTTP header injection for application that omit to check headers.
change
throw an IllegalArgumentException when a header name or value contains \r or \n char
The text was updated successfully, but these errors were encountered:
motivation
Currently
HttpClientRequest
andHttpServerResponse
don't check wether header name or value contain\r
or\n
chars. Of course developers are fully responsible for http headers set andsuch incorrect value is likely unintended. Forbidding it prevents HTTP header injection for application that omit to check headers.
change
throw an
IllegalArgumentException
when a header name or value contains\r
or\n
charThe text was updated successfully, but these errors were encountered: