|
|
|
|
|
|
by rtpg
622 days ago
|
|
|
Took me a second to get what was going on here, but basically the idea is that you middleware might not see `C:D`, but then your application _does_ see `C:D`. And given your application might assume your middleware does some form of access control (for example, `X-ActualUserForReal` being treated as an internal-only header), you could get around some access control stuff. Not a bytes-alignment thing but a "header values disagreement" thing. This is an issue if one part of your stack parses headers differently than another in general though, not limited to newlines. |
|
|