[Webkit-unassigned] [Bug 158768] New: CR alone in response header is treated as end-of-line.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 14 17:54:42 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=158768
Bug ID: 158768
Summary: CR alone in response header is treated as end-of-line.
Classification: Unclassified
Product: WebKit
Version: Safari 9
Hardware: Macintosh
OS: OS X 10.11
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sha7me1on.mach at gmail.com
Safari treat CR alone in response header as end-of-line.
[nginx.conf]
add_header X-header 'foo\rSet-Cookie: var=exploit';
This will set the cookie's value.
In rfc2616, CR alone in headers is not spec'd.
But I think it is difficult for application developers to recognize needs to escape CR alone in response header referencing rfc2616.
I think it is better to disallow CR alone as end-of-line.
f
I've also opened this issue in chromium bug-trackers.
https://bugs.chromium.org/p/chromium/issues/detail?id=619579
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160615/ac88c7d9/attachment.html>
More information about the webkit-unassigned
mailing list