Skip to content

Fix to disable Header and Authorise attributes containing CRLF#1834

Merged
glennawatson merged 2 commits into
mainfrom
CP_CRLF_InjectionFix
Sep 22, 2024
Merged

Fix to disable Header and Authorise attributes containing CRLF#1834
glennawatson merged 2 commits into
mainfrom
CP_CRLF_InjectionFix

Conversation

@ChrisPulman
Copy link
Copy Markdown
Member

@ChrisPulman ChrisPulman commented Sep 22, 2024
edited
Loading

What kind of change does this PR introduce?

Fix

What is the current behavior?

Header and Authorise attributes could CRLF which may cause issues

What is the new behavior?

Added detection and correction of CRLF characters.

What might this PR break?

None expected

Please check if the PR fulfills these requirements

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

Other information:

@ChrisPulman
Fix for CRLF injection vulnerability
f89c313 
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
@ChrisPulman
Copy link
Copy Markdown
Member Author

ChrisPulman commented Sep 22, 2024

@anaisbetts please take a look at this as a possible resolution, thank you.

@ChrisPulman ChrisPulman changed the title Fix for CRLF injection vulnerability Fix to disable Header and Authorise attributes containing CRLF Sep 22, 2024
@glennawatson glennawatson merged commit 483b1d8 into main Sep 22, 2024
@glennawatson glennawatson deleted the CP_CRLF_InjectionFix branch September 22, 2024 12:04
@anaisbetts
Copy link
Copy Markdown
Member

anaisbetts commented Sep 30, 2024

Should we also change TryAddWithoutValidation to just Add?

@ChrisPulman
Copy link
Copy Markdown
Member Author

ChrisPulman commented Oct 1, 2024

Should we also change TryAddWithoutValidation to just Add?

I will take a look at this assuming there's no conflict with any existing options

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 16, 2024

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Oct 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChrisPulman @anaisbetts @glennawatson