Orange Tsai <orange.8...@gmail.com> writes: > # This will work > $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
Not even considering the effect on headers, it's surprising that wget doesn't produce an immediate error, since "127.0.0.1%0d%0aCookie%3a hi%0a" is syntactically invalid as a host part. Why doesn't wget's URL parser detect that? I'm sure the new patch is an improvement, but it's surprising that the old code didn't detect that was an invalid URL anyway, since it contains characters that aren't permitted in those locations. Dale