tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: svn commit: r1479953 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestMediaType.java webapps/docs/changelog.xml
Date Wed, 08 May 2013 13:22:10 GMT
Mark,

On 5/7/13 11:54 AM, markt@apache.org wrote:
> Author: markt
> Date: Tue May  7 15:54:36 2013
> New Revision: 1479953
> 
> URL: http://svn.apache.org/r1479953
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54703
> Be tolerant of applications that pass CR or LF in setHeader() values.
> Fix some whitespace parsing issues idnetifed by the extended test cases in readTokenOrQuotedString()

How does this impact HTTP response-splitting exploits triggered by
webapps that don't sanitize their response headers?

Also:

> +    private static final String[] LWS_VALUES = new String[] {
> +            "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n",
> +            "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " };

Is LWS_VALUES an empty string? Just a sanity check that headers without
any leading whitespace don't cause any problems? Seems like many many
other tests would verify that...

-chris


Mime
View raw message