uri-escape the user-supplied portion of the redirect path (CVE-2016-1133) #684

Merged
merged 2 commits into from Jan 8, 2016

Conversation

Projects
None yet
1 participant
@kazuho
Member

kazuho commented Jan 8, 2016

This PR fixes a flaw in the redirect handler included in H2O up to version 1.6.1 / 1.7.0-beta2.

When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response. H2O version 1.6.2 and 1.7.0-beta3 has been released to address this vulnerability.

Users are advised to upgrade their servers immediately.

CVE-ID for the issue is CVE-2016-1133.

Reported in #682.

kazuho added a commit that referenced this pull request Jan 8, 2016

Merge pull request #684 from h2o/kazuho/issues/682
uri-escape the user-supplied portion of the redirect path

@kazuho kazuho merged commit c6c7e5b into master Jan 8, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

kazuho added a commit that referenced this pull request Jan 13, 2016

Merge pull request #684 from h2o/kazuho/issues/682
uri-escape the user-supplied portion of the redirect path

@kazuho kazuho changed the title from uri-escape the user-supplied portion of the redirect path to uri-escape the user-supplied portion of the redirect path (CVE-2016-1133) May 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment