Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-790: DefaultLoginPageGeneratingFilter should be a better HTTP citizen #1051
DefaultLoginPageGeneratingFilter in 2.0.0 does not set content-type, character encoding or content-length when generating the response. This can lead to incorrect behavior (e.g. content-type set to text/plain) when using an overzealous proxy (yes, Apache, I’m looking at you).
Attached is a patch to have the filter set content-type to text/html; charset=UTF-8, and content-length to the length of the response.
Luke Taylor said:
Thanks for the patch. DefaultLoginPageGeneratingFilter is only really expected to be used to allow you to get up and running without the hassle of dealing with JSPs or other view technologies. I didn’t expect people to really use it in production (or behing apache proxies). But who knows :).