Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix to disable Header and Authorise attributes containing CRLF #1834

Merged
merged 2 commits into from
Sep 22, 2024
Merged

Fix to disable Header and Authorise attributes containing CRLF #1834

merged 2 commits into from
Sep 22, 2024

Conversation

ChrisPulman
Copy link
Member

@ChrisPulman ChrisPulman commented Sep 22, 2024
edited
Loading

What kind of change does this PR introduce?

Fix

What is the current behavior?

Header and Authorise attributes could CRLF which may cause issues

What is the new behavior?

Added detection and correction of CRLF characters.

What might this PR break?

None expected

Please check if the PR fulfills these requirements

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

Other information:

@ChrisPulman
Fix for CRLF injection vulnerability
f89c313 
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
@ChrisPulman
Copy link
Member Author

@anaisbetts please take a look at this as a possible resolution, thank you.

@ChrisPulman ChrisPulman changed the title Fix for CRLF injection vulnerability Fix to disable Header and Authorise attributes containing CRLF Sep 22, 2024
@glennawatson glennawatson merged commit 483b1d8 into main Sep 22, 2024
1 check passed
@glennawatson glennawatson deleted the CP_CRLF_InjectionFix branch September 22, 2024 12:04
@anaisbetts
Copy link
Member

Should we also change TryAddWithoutValidation to just Add?

@ChrisPulman
Copy link
Member Author

Should we also change TryAddWithoutValidation to just Add?

I will take a look at this assuming there's no conflict with any existing options

@github-actions GitHub Actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChrisPulman @anaisbetts @glennawatson