You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some fields, like Set-Cookie, have an internal syntax that allows unquoted commas and messes things up when multiple lines are combined for the signature base, leading to the potential case where two semantically different inputs have the same signature base. This means that:
Set-Cookie: that, happens
Set-Cookie: to, contain, a, comma
And:
Set-Cookie: that, happens, to, contain, a, comma
Both produce the same signature input line:
"set-cookie": that, happens, to, contain, a, comma
Even though the two-line and single-line versions are processed differently by the application.
To counter this, we could have a distinct encoding flag that wraps the field values, similar to sf. This can be used to protect problematic fields like Set-Cookie so that we get something like this for the multiple line version:
Some fields, like
Set-Cookie
, have an internal syntax that allows unquoted commas and messes things up when multiple lines are combined for the signature base, leading to the potential case where two semantically different inputs have the same signature base. This means that:And:
Both produce the same signature input line:
Even though the two-line and single-line versions are processed differently by the application.
To counter this, we could have a distinct encoding flag that wraps the field values, similar to
sf
. This can be used to protect problematic fields like Set-Cookie so that we get something like this for the multiple line version:But you'd get this for the single-line version:
The background of this has been discussed in #2143 and #1183
The text was updated successfully, but these errors were encountered: