[Development] Newlines in XHR / QNetworkAccessManager headers
d3fault
d3faultdotxbe at gmail.com
Mon Oct 8 06:48:22 CEST 2012
On Sun, Oct 7, 2012 at 4:53 PM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
> On domingo, 7 de outubro de 2012 21.23.53, Mikko.Saario at nokia.com wrote:
>> xhr.setRequestHeader("Origin","http://www.google.fi\nReferer:http://www.goog
>> le.fi/whatever<http://www.google.fi/nReferer:%20http:/www.google.fi/whatever
>> >");
>>
>> and this results on the HTTP ===>
>>
>> ORIGIN: http://www.google.fi
>> Referer: http://www.google.fi/whatever
>
Definitely looks like a security risk, thank you for reporting it.
>
> If you find that it's a security issue, contact us at security at qt-project.org
> so we can deal with it.
>
Can we get a Security mailing list that uses the email address
provided above so as to keep the process more transparent? Qt's
response time to the CRIME vulnerability is/was pathetic (I am
partially to blame for that -- didn't report it thinking it would be
fixed upstream in SSL itself).
Or perhaps two security related lists: Security-discussion (for a
thread like this) and Security-announce (for confirmed vulns, perhaps
read-only to the public)?
d3fault
More information about the Development
mailing list