2008/10/20 weepy <[EMAIL PROTECTED]>: > The Ruby HTTP libraries used by Rails do not perform any santization > of the values of their HTTP Headers. > This can lead to Response Splitting and Header Injection attacks in > certain circumstances where user-provided values are written into > response headers. These malformed values can be used to set custom > cookies, and forge fake responses to users if your application uses > any of the user submitted parameters to construct HTTP headers without > sanitizing.
I need to check the code, but since Merb does not use cgi.rb (but Rails does), it's probably not a concern. -- MK --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
