Commit graph

1 commit

Author SHA1 Message Date
Alhuda Khan
a36384ab94
http: trim custom header name before the Authorization drop
A custom header name padded with blanks (`Authorization :`) missed the
exact-length compare and slipped past the cross-host Authorization and
Cookie drop, forwarding the header to the redirect target. Trim the
parsed name in both the request and proxy CONNECT header builders.

Closes #22178
2026-06-26 14:50:04 +02:00