NAME

Plack::Middleware::BlockHeaderInjection - block header injections in responses

VERSION

version v1.1.1

SYNOPSIS

use Plack::Builder;

my $app = ...

$app = builder {
  enable 'BlockHeaderInjection',
    status => 500;
  $app;
};

DESCRIPTION

This middleware will check responses for injected headers. If the headers contain newlines, then the return code is set to 500 and the offending header(s) are removed.

A common source of header injections is when parameters are passed unchecked into a header (such as the redirection location).

An attacker can use injected headers to bypass system security, by forging a header used for security (such as a referrer or cookie).

ATTRIBUTES

<status

The status code to return if an invalid header is found. By default, this is 500.

SUPPORT FOR OLDER PERL VERSIONS

Since v1.1.0, this module requires Perl v5.12 or later.

Future releases may only support Perl versions released in the last ten years.

If you need this module on Perl v5.8, please use one of the v1.0.x versions of this module. Signficant bug or security fixes may be backported to those versions.

SEE ALSO

https://en.wikipedia.org/wiki/HTTP_header_injection

SOURCE

The development version is on github at https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection and may be cloned from git://github.com/robrwo/Plack-Middleware-BlockHeaderInjection.git

BUGS

Please report any bugs or feature requests on the bugtracker website https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection/issues

When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.

AUTHOR

Robert Rothenberg <rrwo@cpan.org>

The initial development of this module was supported by Foxtons, Ltd https://www.foxtons.co.uk.

COPYRIGHT AND LICENSE

This software is Copyright (c) 2014,2020,2023 by Robert Rothenberg.

This is free software, licensed under:

The Artistic License 2.0 (GPL Compatible)