Abhishekmishra2808 commented on issue #602: URL: https://github.com/apache/tooling-trusted-releases/issues/602#issuecomment-3824922913
Hi maintainers, I’d like to work on this issue and take ownership of the fix if it’s still unassigned. ### Proposed plan - Identify all locations where HTTP header values are created or validated (starting with `HeaderValue`). - Add explicit validation to reject CR (`\r`) and LF (`\n`) characters to prevent header injection and HTTP response splitting. - Ensure error messages remain generic and do not leak sensitive input. - Add unit tests covering CR/LF injection attempts and common malicious payloads (for example, injected headers or `Set-Cookie`). - Run the full test suite to ensure no regressions and keep the change minimal and review-friendly. Please let me know if this approach looks good, and I’ll proceed with the implementation. Thanks! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
