mirror of https://github.com/lukechilds/node.git
Browse Source
Commit 3c293ba
("http: protect against response splitting attacks")
filters out newline characters from HTTP headers but forgot to apply
the same logic to trailing HTTP headers, i.e., headers that come after
the response body. This commit rectifies that.
The expected security impact is low because approximately no one uses
trailing headers. Some HTTP clients can't even parse them.
PR-URL: https://github.com/nodejs/node/pull/2945
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
v5.x
Ben Noordhuis
9 years ago
2 changed files with 22 additions and 9 deletions
Loading…
Reference in new issue