-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip null bytes from Location header #5456
Conversation
add tests for stripping \r\n chars since that's already happening
Strip null bytes from Location header
Strip null bytes from Location header
Strip null bytes from Location header
Strip null bytes from Location header Conflicts: actionpack/test/controller/redirect_test.rb
end | ||
|
||
def test_redirect_with_null_bytes | ||
get :redirect_with_header_break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, I think this should read redirect_with_null_bytes
instead, not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gah, yep :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
another PR plz? ❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️❤️❤️❤️❤️❤️❤️❤️
This strips null bytes off of the
Location
header in addition to\r\n
which are already being stripped.This is in response to a recent nasty security vulnerability in nginx. I figure it's probably easier for people to get this patch in their Rails applications than it is for them to get nginx upgraded in their infrastructure - which may or may not even be managed by them.
I'd like to get this into all supported Rails versions, not sure if this patch will apply cleanly to 3.1 or 3.0 - let me know if not and I'll send some others.