Response Splitting from unsanitized headers
http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå Header values (Header.value) Status reason phrases (Status.reason) URI paths (Uri.Path) URI authority registered names (URI.RegName) (through 0.21) The following backends render invalid carriage return, newline, or null characters in an unsafe fashion. | | blaze-server | ember-server | blaze-client | ember-client | jetty-client | |:—————|:————-|:————-|:————-|————–|————–| | …