From dd6e9583a2eb2ca085583765e8a63df5904cb036 Mon Sep 17 00:00:00 2001 From: Patrick Baus Date: Thu, 11 Aug 2016 01:48:12 +0200 Subject: [PATCH] Fixed request smuggling vulnerability. See: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_HTTP_Request/Response_Smuggling According to https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader%28%29-method, the header should be ignored anyway if those properties were set. --- htdocs/js/ajax_functions.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/htdocs/js/ajax_functions.js b/htdocs/js/ajax_functions.js index 1b3a955..540b925 100644 --- a/htdocs/js/ajax_functions.js +++ b/htdocs/js/ajax_functions.js @@ -202,8 +202,6 @@ function makeHttpRequest(url,parameters,meth,successCallbackFunctionName,errorCa http_request.open(meth,url,true); http_request.setRequestHeader('Content-type','application/x-www-form-urlencoded'); - http_request.setRequestHeader('Content-length',parameters.length); - http_request.setRequestHeader('Connection','close'); if (meth == 'GET') parameters = null; http_request.send(parameters);