artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6620a6f) | patch
Regis Leroy reported that httpd does not strictly accept CRLF for
authorjsg <jsg@openbsd.org>
Sat, 18 Apr 2015 09:27:54 +0000 (09:27 +0000)
committerjsg <jsg@openbsd.org>
Sat, 18 Apr 2015 09:27:54 +0000 (09:27 +0000)
commit8757e0cc438aba5d165dfcba7a87e597b1f1da5e
treebde850179f1d4979a6dfc33fc47bb87af6c2ac77tree | snapshot
parent6620a6fb459531921b1730d9a67f54c692e424c7commit | diff
Regis Leroy reported that httpd does not strictly accept CRLF for
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.

Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.

ok florian@
usr.sbin/httpd/server_http.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim