Fixed request smuggling vulnerability. See: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_HTTP_Request/Response_Smuggling
According to https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader%28%29-method, the header should be ignored anyway if those properties were set.
This commit is contained in:
parent
665dbc2690
commit
dd6e9583a2
@ -202,8 +202,6 @@ function makeHttpRequest(url,parameters,meth,successCallbackFunctionName,errorCa
|
||||
http_request.open(meth,url,true);
|
||||
|
||||
http_request.setRequestHeader('Content-type','application/x-www-form-urlencoded');
|
||||
http_request.setRequestHeader('Content-length',parameters.length);
|
||||
http_request.setRequestHeader('Connection','close');
|
||||
|
||||
if (meth == 'GET') parameters = null;
|
||||
http_request.send(parameters);
|
||||
|
Loading…
Reference in New Issue
Block a user