[5.0] HTTP Request Smuggling possible in 5.0
Bug #618674 reported by
Christophe CHAUVET
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Web Client |
Fix Released
|
Low
|
Unassigned |
Bug Description
Hi
I found an issue when i configure the web client with reverse proxy
I use Chromuim (Chrome web browser) and i activate the javascript console, after login, i see the menu and in my console i see:
- Refused to set unsafe header "Connection"
- Refused to set unsafe header "Content-length"
After some search on the web, i found this article http://
Regards,
security vulnerability: | yes → no |
visibility: | private → public |
Changed in openobject-client-web: | |
importance: | Critical → Low |
To post a comment you must log in.
IMO, it is the responsibility of the intermediate proxy to validate the the request headers.
Regarding to those warnings, I think, it is safe to remove that part from `Ajax.post` implementation from the `static/ javascript/ ajax.js` file. That code is based on old MochiKit implementation, I have explored the `jQuery` implementation of a similar function and there is no such headers being set in jquery's implementation.