Vulnerability in EPiServer.Forms
Reposting this in correct room and description
Invalid non-ASCII or control character in header: 0x2212"
If you have multi-culture enabled and query delivery api in 'nb-no' culture whereas no issues for any other culture so far - but possibly could happen for other cultures i've only tried from a list of few
I started investigating this bit by bit and in the end it turns out the problem was coming from [OutputCacheFilterAttribute] when it tries to add etag hash-code (ETag hash contains non-ascii characters) in header like
typedHeaders.ETag = new EntityTagHeaderValue((StringSegment)("\"" + evaluateResult.ETag + "\""));
These are all private/seal classes methods so nothing much you can do to control it - any chance it can be base64 encoded before adding to header as .net 5 as of now does not seem to support non-ascii characters in header
Or any chance api can provide some options to control/disable etag generation? There is a ContentETagGenerator available but OutputCacheFilterAttribute re-generate hash again within its private methods.
Are you using the released version of Content Delivery? This a known bug that should've been fixed.
Hi Johan, yes using v3.0.0 which I believe is the latest as of now.
I have the same issue with v3.0.0.
The fix ended up in 3.0.1 and will hopfully be released early next week.
Hi Johan! Any update on v 3.0.1?
3.0.1 is published now.
Thank you! Issue resolved. :)