em-http-request icon indicating copy to clipboard operation
em-http-request copied to clipboard

Published 20 hours ago verified publisher icon igrigorik

Prevent header injection attacks

Open c960657 opened this issue 1 year ago • 1 comments
trafficstars

Add a safeguard against header injection attacks.

There is no bug in em-http-request as such, but this patch removes an attack vector when the library is used to fetch user-provided URLs which have not been properly validated.

This suggestion is inspired by true events.

c960657 avatar Aug 03 '24 13:08 c960657

As an alternative, should we force URI encoding instead? Seems like a sensible default.

igrigorik avatar Nov 10 '24 05:11 igrigorik