d88f89f45b
Previously a user could place any value the host header of their http request to Barbican and the result returned would have the correct URL in the body, but the response location header was built using the provided (and possibly malicious) host value from the request header. Resolved this by ensuring that the location header in the response field matches the URL returned in the body. Also added functional tests to ensure that this exposure won't reappear. Change-Id: I49a9e44be68b20f7602cf58202dd8e522a0c25c3 Closes-Bug: 1421479
11 KiB
11 KiB