]> Sergey Matveev's repositories - public-inbox.git/blobdiff - lib/PublicInbox/HTTP.pm
projects / public-inbox.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
httpd: reject requests with spaces in header names
[public-inbox.git] / lib / PublicInbox / HTTP.pm
diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 0f4b5047784a75b5b9bba21797fbd6cc584851d5..18a1925066fbdbfabbed6ac54b60982a08f85db7 100644 (file)
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -91,6 +91,7 @@ sub event_step { # called by PublicInbox::DS
                }
                $self->do_read($rbuf, 8192, length($$rbuf)) or return;
        }
+       return quit($self, 400) if grep(/\s/, keys %env); # stop smugglers
        $$rbuf = substr($$rbuf, $r);
        my $len = input_prepare($self, \%env) //
                return write_err($self, undef); # EMFILE/ENFILE
My patches to https://public-inbox.org/public-inbox.git