Skip to content

v1.1.2

Choose a tag to compare

View all tags
@theMiddleBlue theMiddleBlue released this 10 Jun 16:36
· 6 commits to main since this release
v1.1.2
296a15d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security release. Closes a request-body parser bypass class reported by Davide Virruso (z3er01 @ zeronvll).

  • Content-Type desync — parser selection now keys off the base media type (the token before the first ;), not a substring of the whole header, so application/json;charset=myxml no longer routes a JSON body to the XML parser. +json / +xml subtype suffixes preserved; mirrors check_request_content_type_enforce.
  • XML empty-parse — a body declared as XML that yields no elements (a JSON or plain-text payload) is now denied instead of slipping through with an empty argument set. This closed a full bypass against backends that force-parse the body as JSON regardless of Content-Type (e.g. Flask get_json(force=True)), which the Content-Type fix alone did not cover.

Verified: CRS PL1 regression 2757/2757 (empty-diff), no false positives on valid XML (attribute-only / self-closing) or empty bodies.

See CHANGELOG.md for full details.

Assets 2
Loading