New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential runtime system sensitive information disclosure through special HTTP requests. #457
Comments
|
thanks for report, seems fixed to me now |
|
in case you're a CVE hunter, congrats! this issue was assigned CVE-2022-40468. but now i have to become bullshit hunter:
the sentence "does not process HTTP request lines in the process_request () function" is total BS, and the issue is a non-issue for anyone except people that use custom error page templates containing the variables which my commit fixes. the default error page template doesn't contain them, and the built-in error page in html-error.c either. a proper description for this CVE would be "potential leak of left-over heap data if custom error page templates containing special non-standard variables are used". so unless you did something special with your error page template, you dont have to worry about this CVE, despite the scary description on NIST CVE database. |
|
Calm down. The actual cve description is not exactly the same as what I submitted. I'm not sure why. |
|
CVE description updated. |
The text was updated successfully, but these errors were encountered: