Reject messages with multiple single-value headers #8

spaceone · 2019-10-01T15:47:06Z

Some HTTP headers might occurr only once in a HTTP message (e.g. Content-Length, Location, Host, Content-Disposition, etc.).
Messages which contain these headers multiple times should be rejected for security reasons.

Content-Length injection leads to response splitting
Location leads to redirect hijacking.

spaceone · 2019-10-01T15:48:43Z

http-core issue 193

spaceone added the security label Oct 1, 2019

spaceone changed the title ~~Reject messages with multiple single-headers~~ Reject messages with multiple single-value headers Oct 1, 2019

spaceone added a commit that referenced this issue Oct 4, 2019

Issue #8: Check if value is single value

d2b9fb2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reject messages with multiple single-value headers #8

Reject messages with multiple single-value headers #8

spaceone commented Oct 1, 2019

spaceone commented Oct 1, 2019

Reject messages with multiple single-value headers #8

Reject messages with multiple single-value headers #8

Comments

spaceone commented Oct 1, 2019

spaceone commented Oct 1, 2019