tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 19705] - Newlines should not be allowed in status message
Date Wed, 24 Sep 2003 21:29:33 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19705>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19705

Newlines should not be allowed in status message





------- Additional Comments From dpotter@mitre.org  2003-09-24 21:29 -------
This bug hasn't been touched in months, but I've done a new patch against the
latest CVS code available through the anonymous CVS system and it fixes the
error not just for newline characters but it also removes any character that is
invalid according to the HTTP spec.

Basically, it chops the message off at the first \n or \r it encounters, and
then removes any character that's outside the range of [32..127] (except 9,
which is the horizontal tab and is allowed) and replaces them with a "?".  This
"sanitizes" the message and ensures that the HTTP response returned is valid.

I didn't do anything to the headers that are then displayed, only the status
line to fix the specific bug where an ANT error message is returned, breaking
the HTTP response.  However, something probably should be done (probably when
the headers are set?) to prevent invalid characters from being set as HTTP
header names and HTTP header values.

Mime
View raw message