Hello!
I'm considering using this tool to perform virus scans in my project. Hope it fits perfectly!
While reading documentation in README file, noticed these lines of code:
|
4. The only request that will be tested will have methods POST/PUT/PATCH |
This seems like a hole in the security. A malicious actor could just change the method to GET, for example, and, if the application doesn't care about the HTTP method used, it could receive a malicious file through GET request.
Found out that you already changed the conditions under which the request would be forwarded to a scanner in this issue: #21.
So maybe you just forgot to update the docs? If so, I could rephrase that and submit a PR, if you will.
Hello!
I'm considering using this tool to perform virus scans in my project. Hope it fits perfectly!
While reading documentation in README file, noticed these lines of code:
clammit/README.md
Line 167 in bb49060
This seems like a hole in the security. A malicious actor could just change the method to GET, for example, and, if the application doesn't care about the HTTP method used, it could receive a malicious file through GET request.
Found out that you already changed the conditions under which the request would be forwarded to a scanner in this issue: #21.
So maybe you just forgot to update the docs? If so, I could rephrase that and submit a PR, if you will.