httoop icon indicating copy to clipboard operation
httoop copied to clipboard
verified publisher icon spaceone

Reject messages with multiple single-value headers

Open spaceone opened this issue 6 years ago • 1 comments

Some HTTP headers might occurr only once in a HTTP message (e.g. Content-Length, Location, Host, Content-Disposition, etc.). Messages which contain these headers multiple times should be rejected for security reasons.

Content-Length injection leads to response splitting Location leads to redirect hijacking.

spaceone avatar Oct 01 '19 15:10 spaceone

http-core issue 193

spaceone avatar Oct 01 '19 15:10 spaceone