On 17 Mar 2013, at 6:54 PM, Eric Covener <[email protected]> wrote: > If we maintain the use of a password here, like mod_ssl does, wouldn't > we need to make sure it doesn't come in over the wire?
We use apr_table_setn() which replaces anything that is there already, although if either the username or the password resolve to an empty string it is possible for a user to inject their own. I think to be safe, we should unset the header in the two empty string cases. Done in r1457504. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
