Closed ioggstream closed 5 years ago
@LPardue I have been suggested this, but thinking twice this seems invalid to me.
The lenght-extension attack impacts the overall signature string and imho is not related to Digest
per se.
Digest
header explicitly doesn't provide Authorization, so as long as Length-Extension Attack is this one https://en.wikipedia.org/wiki/Length_extension_attack this seems invalid to me.
This PR
Suggests signing content-length when using digest-algorithms subject to
length-extension
attacks.