[Development] Newlines in XHR / QNetworkAccessManager headers

d3fault d3faultdotxbe at gmail.com
Mon Oct 8 06:48:22 CEST 2012

On Sun, Oct 7, 2012 at 4:53 PM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
> On domingo, 7 de outubro de 2012 21.23.53, Mikko.Saario at nokia.com wrote:
>> xhr.setRequestHeader("Origin","http://www.google.fi\nReferer:http://www.goog
>> le.fi/whatever<http://www.google.fi/nReferer:%20http:/www.google.fi/whatever
>> >");
>> and this results on the HTTP ===>
>> ORIGIN: http://www.google.fi
>> Referer: http://www.google.fi/whatever

Definitely looks like a security risk, thank you for reporting it.

> If you find that it's a security issue, contact us at security at qt-project.org
> so we can deal with it.

Can we get a Security mailing list that uses the email address
provided above so as to keep the process more transparent? Qt's
response time to the CRIME vulnerability is/was pathetic (I am
partially to blame for that -- didn't report it thinking it would be
fixed upstream in SSL itself).

Or perhaps two security related lists: Security-discussion (for a
thread like this) and Security-announce (for confirmed vulns, perhaps
read-only to the public)?


More information about the Development mailing list