DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43473>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43473 Summary: "invalid" characters in response headers injected via cgi Product: Apache httpd-2 Version: 2.2.6 Platform: All OS/Version: other Status: NEW Severity: minor Priority: P2 Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] I think it would be nice if apache parses response headers for invalid characters. There are sites which allows manipulation of response headers for example by: whatever.cgi?new_location=<url> The cgi adds "Location: $new_location". IF the application ("whatever.cgi") takes no care about the get/post variables this enables a remote user to simply add headers (or complete responses eg. in the case of http-pipelining) , for Example: "\r\nMy: Header". I know that the problem here is not apache, but it would be nice if apache takes a bit care about this. If this is going to be implemtened there should a way to configure how the characters are replaced. For Example: remove - remove all "invalid" characters escape - escape them (dont know how, maybe "x00" or %00" (hex)) ignore - do nothing -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
