26976310d2
Motivation: HttpServerUpgradeHandler takes a list of protocols from an incoming request and uses them for building a response. Although the class does some validation while parsing the list, it then disables HTTP header validation when it builds a responst. The disabled validation may potentially allow HTTP response splitting attacks. Modifications: - Enabled HTTP header validation in HttpServerUpgradeHandler as a defense-in-depth measure to prevent possible HTTP response splitting attacks. - Added a new constructor that allows disabling the validation. Result: HttpServerUpgradeHandler validates incoming protocols before including them into a response. That should prevent possible HTTP response splitting attacks. |
||
---|---|---|
.. | ||
main | ||
test |