tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject RE: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from header values
Date Tue, 10 Jun 2008 22:37:37 GMT
My understanding is that crlf breaks the rfc and leads to http response splitting attacks.

-----Original Message-----
From: bugzilla@apache.org
Sent: Tuesday, June 10, 2008 11:50 AM
To: tomcat-dev@jakarta.apache.org
Subject: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from header values

https://issues.apache.org/bugzilla/show_bug.cgi?id=45180

           Summary: CRLF Newline characters stripped from header values
           Product: Tomcat 5
           Version: 5.5.26
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: asf-bugzilla@rodneybeede.com


While trying to implement RFC 2231 with "Parameter Value Continuations" I had a
header that should appear as follows:

Content-Disposition: attachment;
filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog";
        filename*1="_boy_this_is_a_long_header_value";
        filename*2="_now_is_it_not.csv"


That is according to RFC 2231 which allows this.  I use
HttpServletResponse.addHeader(String,String) to add the appropriate header as
so:

addHeader("Content-Disposition", above value with \r\n inside the string)


Unfortanetely Tomcat is replacing my String's "\r\n" after each ";" with two
spaces instead.

This results in the actual header returned to the browser being:

Content-Disposition: attachment;
filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog"; 
       filename*1="_boy_this_is_a_long_header_value";         
filename*2="_now_is_it_not.csv"

[Each ; is followed by <space><space><tab>filename instead of
\r\n<tab>filename]

Firefox 2.0.14 will gracefully correct this malformed, non-compliant RFC2231
header, but Internet Explorer 6 nor 7 will handle this correctly.  IE is more
strict about the RFC2231 format.

I believe this may have been implemented to discourage XSS mistakes in code,
but now it breaks using \r\n inside header values.

Perhaps a new method such as "addUncheckedHeader(String,String)" that doesn't
scrub the \r\n would be appropriate?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bu

[The entire original message is not included]

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message