outlandishlizard commented on PR #619: URL: https://github.com/apache/httpcomponents-client/pull/619#issuecomment-2726765179
This PR appears to fundamentally misunderstand the risks; it's not a packet injection or MITM attack, it's an in-band attack within user supplied data. The notion that an application should know that it needs to parse and sanitize out a magic apache-specific boundary token from input is absurd. The changes in this PR are actively dangerous and should be reverted immediately, as they result in a fundamentally unsafe default behavior. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
