December 27, 2016 [Issue 16174] [SECURITY]=?UTF-8?Q?=20HTTP=C2=A0header=20injection?= | ||||
---|---|---|---|---|
| ||||
https://issues.dlang.org/show_bug.cgi?id=16174 greenify <greeenify@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |trivial CC| |greeenify@gmail.com Severity|normal |major -- |
April 01, 2017 [Issue 16174] [SECURITY]=?UTF-8?Q?=20HTTP=C2=A0header=20injection?= | ||||
---|---|---|---|---|
| ||||
https://issues.dlang.org/show_bug.cgi?id=16174 Steven Schveighoffer <schveiguy@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |schveiguy@yahoo.com Resolution|--- |WONTFIX --- Comment #1 from Steven Schveighoffer <schveiguy@yahoo.com> --- While I can see the concern, the truth is that you already are able to call a function which is adding a header to the request. In that sense, this isn't exactly a "security" issue, as you have permission to add the header already. Where this can be a problem is if you are passing a string from an un-trusted source, but that's probably not a good idea anyway, even if just adding one header. I'm not sure std.net.curl is the right place to make these types of decisions, it's a pretty bare wrapper around curl. Closing as WONTFIX, please re-open if you think this is in error. -- |
Copyright © 1999-2021 by the D Language Foundation