[core] reject WS following header field-name (fixes #2985)
reject whitespace following request header field-name and before colon Such whitespace is forbidden in RFC 7230 Section 3.2.4. strict header parsing is enabled by default in lighttpd. However, if explicitly disabled in lighttpd.conf, lighttpd will continue to accept (and re-format) such field-names before passing to any backend. UNSAFE: server.http-parseopts = ( "header-strict" => "disable" ) This is NOT RECOMMENDED since doing so disables other protections provided by lighttpd strict http header parsing. (thx fedormixalich) x-ref: stricter request header parsing https://redmine.lighttpd.net/issues/2985personal/stbuehler/ci-build
parent
851728c6a1
commit
61f85d14ee
Loading…
Reference in new issue