tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [OT] Protecting against HTTP response splitting
Date Wed, 30 Mar 2011 20:12:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I was playing around with findbugs today and saw a security warning I've
never seen before: "HTTP parameter directly written to HTTP header
output in [somefile.java]".

I read a bit more into it and the warning was correct, I was doing
something akin to the following:

response.sendRedirect(request.getParameter("returnURL"));

Aside from not running the redirect through response.encodeRedirectURL,
there's another potential problem, there: the user can specify a return
URL that breaks the HTTP response and can do some evil things. I
verified that I can break my own response in this way by adding "%0d%0a"
and then more stuff to my "returnURL" parameter and I magically escaped
the "Location" header of the response.

The suggested mitigation is to URL-encode the value before putting it
into the header.

I was wondering if anyone was doing anything like this and has a
suggestion for allowing the UI to control it's own "return to" URLs in a
safe way. We'd like to use returnURL values that allow for query
parameters to be passed-back to the target URL so we can't just blindly
URL-encode the URL otherwise those parameters will become part of the
URL and not the query string.

I suppose I could also just look for and replace whitespace, which is
not legal in a URL anyway.

Any other thoughts of suggestions?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2TjpgACgkQ9CaO5/Lv0PDAwQCfa8sSdRzAE7ZNjv0P1s/qD95L
FGEAnjA8ZbobU/8s90lE2huLx/+B2smV
=vJ6w
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message