Insecure header validation in slim/psr7

Impact An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Ps...

Initial debug-host handler implementation could leak information and facilitate denial of service

Impact version 1.5.0 and 1.6.0 when using the new debug-host feature could expose unnecessary information about the host Patches Use 1.6.1 or newer Workarounds Downgrade to 1.4.0 or set debug-host to empty References https://github.com/fortio/proxy/pull/38 Q&A...