Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
uri-escape the user-supplied portion of the redirect path (CVE-2016-1133) #684
This PR fixes a flaw in the redirect handler included in H2O up to version 1.6.1 / 1.7.0-beta2.
When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response. H2O version 1.6.2 and 1.7.0-beta3 has been released to address this vulnerability.
Users are advised to upgrade their servers immediately.
CVE-ID for the issue is CVE-2016-1133.
Reported in #682.