tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: svn commit: r1479953 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestMediaType.java webapps/docs/changelog.xml
Date Wed, 08 May 2013 14:12:53 GMT
Mark,

On 5/8/13 10:08 AM, Mark Thomas wrote:
> On 08/05/2013 14:22, Christopher Schultz wrote:
>> Mark,
> 
>> On 5/7/13 11:54 AM, markt@apache.org wrote:
>>> Author: markt Date: Tue May  7 15:54:36 2013 New Revision:
>>> 1479953
>>>
>>> URL: http://svn.apache.org/r1479953 Log: Fix
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54703 Be
>>> tolerant of applications that pass CR or LF in setHeader()
>>> values. Fix some whitespace parsing issues idnetifed by the
>>> extended test cases in readTokenOrQuotedString()
> 
>> How does this impact HTTP response-splitting exploits triggered by 
>> webapps that don't sanitize their response headers?
> 
> It does very little because only Content-Type headers are parsed. The
> likelihood any app vulnerable before this change is still vulenrable.

Aah, I didn't realize this was restricted to Content-Type headers -- I
was only reading the diff itself. Thanks for the clarification.

>> Also:
> 
>>> +    private static final String[] LWS_VALUES = new String[] { +
>>> "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n", +
>>> "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " };
> 
>> Is LWS_VALUES an empty string? Just a sanity check that headers
>> without any leading whitespace don't cause any problems? Seems like
>> many many other tests would verify that...
> 
> No, LWS_VALUES is an array of Strings one of which is the empty
> String. Each value in the array is used for a series of tests in turn.

Sorry, I attempted to say "Is LWS_VALUES[0] an empty string?". I see
that you are running tests against each one... I was just wondering if
the empty-string test was just for completeness rather than intending
for it to be a certain type of whitespace (as opposed to none).

Thanks,
-chris


Mime
View raw message