This repository has been archived by the owner. It is now read-only.

http: protect against response splitting attacks #4292

wants to merge 1 commit into


None yet
4 participants

piscisaureus commented Nov 19, 2012

Ref: #4290


piscisaureus commented Nov 19, 2012

cc @isaacs @TooTallNate @bnoordhuis @indutny

Ben doesn't want this and I want it very much.

isaacs commented Nov 20, 2012

We do this already for request headers, it seems. I think it's a good idea. Does it impact performance to do this test?

koichik commented Nov 23, 2012

Refs #2602.

+ // minimize the performance impact in the common case.
+ if (/[\r\n]/.test(value))
+ value = value.replace(/[\r\n]+[ \t]*/g, '');

ThisIsMissEm Dec 2, 2012

Performance wise, it's probably a good idea to catch these regex's.

isaacs commented Dec 8, 2012

Landed on 3c293ba.

@isaacs isaacs closed this Dec 8, 2012

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.