This was derived from a mix of the Apache code and the ISAPI code. Make it look like the ISAPI code.
This is a brain melting concept since it is looking for a negative.
Since it is security-important, once I have made the change I'll pass on to Scott to review
Environment
None
Activity
Scott Cantor
May 23, 2018 at 9:49 PM
There were indeed several issues here, one being that this code inherited a hack that the old API required but the new one doesn't, which is the appending of a colon to a header when you set it. That was causing a bunch of weird results but it looks normal now.
The spoof checking and clearing was not correct. The clearing wasn't happening at all, and that's not dependent on the spoof checking option at all, it's just something the code does as an extra defense against header injection. That's now happening.
The other bug is that the ALL_HTTP access was to a header and not a server variable, which was preventing it from working, and that's fixed and tested.
Rod Widdowson
July 1, 2017 at 3:15 PM
Work done and pushed as 187d9c1
I have not reached the zen-trance-level to fully understand the multiple-not-statements involved here (which is work in clearheader path only?), so I'll assign to Scott to review.
This was derived from a mix of the Apache code and the ISAPI code. Make it look like the ISAPI code.
This is a brain melting concept since it is looking for a negative.
Since it is security-important, once I have made the change I'll pass on to Scott to review