Fix CRLF injection in redirect and header
#3541
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The previous fix (#3539) was incomplete. The added check is not enforced when `ucwords` is set to false.
huanghantao
approved these changes
Aug 5, 2020
|
Thanks! |
Yurunsoft
pushed a commit
to Yurunsoft/swoole-src
that referenced
this pull request
Aug 31, 2020
* Fix CRLF injection in `redirect` and `header` The previous fix (swoole#3539) was incomplete. The added check is not enforced when `ucwords` is set to false. * Fix typo # Conflicts: # swoole_http_response.cc
Merged
Yurunsoft
pushed a commit
to Yurunsoft/swoole-src
that referenced
this pull request
Aug 31, 2020
* Fix CRLF injection in `redirect` and `header` The previous fix (swoole#3539) was incomplete. The added check is not enforced when `ucwords` is set to false. * Fix typo # Conflicts: # swoole_http_response.cc
matyhtf
added a commit
that referenced
this pull request
Sep 1, 2020
* Fix #3362 (#3365) * Fix #3368 (#3369) * fix #3367 * Fix typo Co-authored-by: twosee <twose@qq.com> * Fix swoole_get_local_mac on OSX (#3372) # Conflicts: # swoole.cc * fix mysql test case (#3374) * fix: stop worker in workerStart (#3382) * fix: stop worker in workerStart * improvement: add newline at end of file * Fix missing MySQL transaction error, update the test (#3429) * fix http client download filename bug (#3489) * fix http client download filename bug * fix zend::String()->release() * Fix #3532 (#3534) * fix #3532 * improve getHeaderOut() * add tests # Conflicts: # include/coroutine_socket.h # swoole_http_client_coro.cc * Fixed: fix header inject when use CRLF (#3539) * fix: fix header inject when use CRLF * test: add test # Conflicts: # swoole_http_response.cc * Fixed: Fix CRLF injection in `redirect` and `header` (#3541) * Fix CRLF injection in `redirect` and `header` The previous fix (#3539) was incomplete. The added check is not enforced when `ucwords` is set to false. * Fix typo # Conflicts: # swoole_http_response.cc * Fixed: check cookie injection (#3545) * Fixed: check cookie injection * fix: don't check crlf when use cookie urlencode # Conflicts: # swoole_http_response.cc * Fixed: set coroutine websocket server frame->fd (#3549) * Fixed: set coroutine websocket server frame->fd * fix: fix test * Fix #3577 (#3579) # Conflicts: # swoole_runtime.cc * Fix the test (#3430) # Conflicts: # tests/swoole_http2_client_coro/post.phpt * test: fix swoole_http_client_coro/upload_big.phpt (#3590) * fix: fix http client upload_big test * fix: http client upload big file * Fix test * Fix free * Fix free Co-authored-by: twosee <twose@qq.com> Co-authored-by: 韩天峰-Rango <mikan.tenny@gmail.com> Co-authored-by: 耐小心 <qiqizjl@qq.com> Co-authored-by: codinghuang <2812240764@qq.com> Co-authored-by: Jiantao Li <CurseRed@Gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This one should correctly patch the vulnerability in
redirectandheadermethod. The previous one (#3539) is incomplete.