Fixed
Details
Details
Assignee
Scott Cantor
Scott CantorReporter
Scott Cantor
Scott CantorOriginal estimate
4h
Components
Fix versions
Affects versions
Created December 5, 2012 at 2:14 AM
Updated December 10, 2012 at 7:13 PM
Resolved December 8, 2012 at 1:59 AM
The check for existing headers is scanning the ALL_HTTP variable and detecting a spoof attempt on nothing but a tail match on a header name when the "safeHeaderNames" option is off. This trips wildly on headers like "o" or "st" and should be tightened up to check for the real header name, same as the "safe" code path.