-
Volker Krause authored
That is, we ended up handling e.g. "Repl:" as "Reply-To:" here, and thus this can have side-effects on application behavior such as determining who to send a reply to. As this might allow bypasses of mechanisms that sign certain subset of relevant headers, this is rather problematic. This is caused by only checking the length of the input string, but not the length of the expected string for the name comparison. Thanks to Marcus Brinkmann for discovering this.
6b86a05f