Kristian Erik Hermansen <kristian.herman...@gmail.com> writes: > I still contend that this is at least a bug, and potentially a > security issue, but only when the headers are ones that should NEVER > have multiple values.
I agree with others that it's not clear that there's a security issue here. It appears that wget/curl can be used to generate HTTP requests (or pseudo-HTTP requests) that might exploit security problems in web servers, but that's the web servers' problem, not wget's/curl's. Certainly, making sure that wget/curl can't generate such requests doesn't stop the black-hats from generating them by other means. Dale