NAME

Plack::Middleware::BlockHeaderInjection - block header injections in responses

VERSION

version v1.3.1

SYNOPSIS

use Plack::Builder;

my $app = ...

$app = builder {
  enable 'BlockHeaderInjection',
    status => 500;
  $app;
};

DESCRIPTION

This middleware will check response headers for control characters (codes 0 through 31) (which also includes newlines that can be used for header injections). These are not allowed according to the PSGI specification. If they are found, then it will the return code is set to 500 and the offending header(s) are removed.

A common source of header injections is when parameters are passed unchecked into a header (such as the redirection location).

An attacker can use injected headers to bypass system security, by forging a header used for security (such as a referrer or cookie).

ATTRIBUTES

status

The status code to return if an invalid header is found. By default, this is 500.

clean

When this is true, null bytes, newlines and carriage returns are changed into whitespace rather than rejected. This should be set when there are legitimate multi-line headers that need to be cleaned up for PSGI.

This defaults to false.

Added in v1.3.0

SUPPORT FOR OLDER PERL VERSIONS

This module requires Perl v5.24 or later.

Future releases may only support Perl versions released in the last ten years.

SOURCE

The development version is on github at https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection and may be cloned from https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection.git

BUGS

Please report any bugs or feature requests on the bugtracker website https://github.com/robrwo/Plack-Middleware-BlockHeaderInjection/issues

When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.

AUTHOR

Robert Rothenberg <perl@rhizomnic.com>

The initial development of this module was supported by Foxtons, Ltd https://www.foxtons.co.uk.

CONTRIBUTOR

Graham Knop <haarg@haarg.org>

COPYRIGHT AND LICENSE

This is free software, licensed under:

The Artistic License 2.0 (GPL Compatible)

To install Plack::Middleware::BlockHeaderInjection, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack::Middleware::BlockHeaderInjection

CPAN shell

perl -MCPAN -e shell
install Plack::Middleware::BlockHeaderInjection

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)