New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set_redirect & set_header are susceptible to http response splitting attack #425
Comments
|
Fix: headers should allow only readable characters and not special codes like newlines etc. |
|
Great finding! I'll look into it. |
|
I researched some web frameworks to see how they handle this issue. So each framework takes a different way to handle it. PHP: Treat it as a warning Django: Raise Rails: Just remove CRLF characters I am thinking to do this check in |
|
@shouc, I fixed it and released v0.5.9. Could you report this issues has been resolved to the place to which you have submitted this as a vulnerability? Thanks a lot! https://nvd.nist.gov/vuln/detail/CVE-2020-11709 |
ref: https://owasp.org/www-community/attacks/HTTP_Response_Splitting
Analysis
PoC
Lastly, this library is gorgeous. Thank you!!
The text was updated successfully, but these errors were encountered: