Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 273FC10888 for ; Wed, 8 May 2013 14:08:18 +0000 (UTC) Received: (qmail 98549 invoked by uid 500); 8 May 2013 14:08:17 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 98207 invoked by uid 500); 8 May 2013 14:08:15 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 98173 invoked by uid 99); 8 May 2013 14:08:14 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 May 2013 14:08:14 +0000 Received: from localhost (HELO [192.168.23.9]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 May 2013 14:08:14 +0000 Message-ID: <518A5C49.8070002@apache.org> Date: Wed, 08 May 2013 15:08:09 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: svn commit: r1479953 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestMediaType.java webapps/docs/changelog.xml References: <20130507155437.62A232388962@eris.apache.org> <518A5182.50306@christopherschultz.net> In-Reply-To: <518A5182.50306@christopherschultz.net> X-Enigmail-Version: 1.5.1 X-Enigmail-Draft-Status: 513 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/05/2013 14:22, Christopher Schultz wrote: > Mark, > > On 5/7/13 11:54 AM, markt@apache.org wrote: >> Author: markt Date: Tue May 7 15:54:36 2013 New Revision: >> 1479953 >> >> URL: http://svn.apache.org/r1479953 Log: Fix >> https://issues.apache.org/bugzilla/show_bug.cgi?id=54703 Be >> tolerant of applications that pass CR or LF in setHeader() >> values. Fix some whitespace parsing issues idnetifed by the >> extended test cases in readTokenOrQuotedString() > > How does this impact HTTP response-splitting exploits triggered by > webapps that don't sanitize their response headers? It does very little because only Content-Type headers are parsed. The likelihood any app vulnerable before this change is still vulenrable. > Also: > >> + private static final String[] LWS_VALUES = new String[] { + >> "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n", + >> "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " }; > > Is LWS_VALUES an empty string? Just a sanity check that headers > without any leading whitespace don't cause any problems? Seems like > many many other tests would verify that... No, LWS_VALUES is an array of Strings one of which is the empty String. Each value in the array is used for a series of tests in turn. Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRilxJAAoJEBDAHFovYFnnpFQP/1J8Z49BdozHxOPNsvq25+WV Mn9P53L/Dbhq3U/5dr+ZUlApCxsp+RVkFyoqKxdzc9ecOWjRGBrPGLoiBup57UQp +5jfR/p42iMsgVxD70uJx16oKjsyGM/HIrDWFDf6NkY+mYilMZQXMpRjPNRsGhyQ g7p/o22nQd+T88aa2IlOVvu9EZSW88DYGPwxKLVmQDI2uC0DygINr1mWqMhK7R7+ DDSVxK/dm30LSRJXTHAiHcbuhU3LbW5fkyOrFMYWCH8jT0vtkAkJhg/BRVoVSwt+ Aw9uK2eX+u+wQ41Z/39/Qx1s8/e/PWnfI+hpHIfCqCMCf5TiVHUxCgAyxA7Ytev1 FraaQm9O61cNQiMvoWEc9/E150LR7YZDNbkCvQ9uH5Ma2gdjkucPB+JP4TUjzhYb Z4Ff1hC9MOoZnaTjuU8ECrxv39EplTDnPOP9Lie5J+uaSNd3kIy5MZnN1paemZUw /FxH2L+sz5u+ckYlA/Q9NKnxMcx6srSOLo3jZe0wjT+e08DHl+pMuL8iF1pPBUlw ub4uil72T8qV6cR5H4Cl1YGsT1b89xsZ9/4y/WiODbeUwND8RYGTVD5fYmMSGJ10 ItmBPTXm86txlV67VbBN/QpQhZGsnvR/M5H5ErNBm+gA/kxACmqJxZHNCzuOo3Hq vRLtFouYZx3P5UcH/fw/ =JTZo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org