[Webkit-unassigned] [Bug 158768] New: CR alone in response header is treated as end-of-line.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 14 17:54:42 PDT 2016


            Bug ID: 158768
           Summary: CR alone in response header is treated as end-of-line.
    Classification: Unclassified
           Product: WebKit
           Version: Safari 9
          Hardware: Macintosh
                OS: OS X 10.11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sha7me1on.mach at gmail.com

Safari treat CR alone in response header as end-of-line.

add_header X-header 'foo\rSet-Cookie: var=exploit';

This will set the cookie's value.

In rfc2616, CR alone in headers is not spec'd.
But I think it is difficult for application developers to recognize needs to escape CR alone in response header referencing rfc2616.
I think it is better to disallow CR alone as end-of-line.
I've also opened this issue in chromium bug-trackers.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160615/ac88c7d9/attachment.html>

More information about the webkit-unassigned mailing list