tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Protecting against HTTP response splitting
Date Thu, 31 Mar 2011 14:20:43 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ronald,

On 3/31/2011 7:05 AM, Ronald Klop wrote:
> Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz
>>
>>  response.sendRedirect(request.getParameter("returnURL"));
>>  
>>  Aside from not running the redirect through response.encodeRedirectURL,
>>  there's another potential problem, there: the user can specify a return
>>  URL that breaks the HTTP response and can do some evil things. I
>>  verified that I can break my own response in this way by adding "%0d%0a"
>>  and then more stuff to my "returnURL" parameter and I magically escaped
>>  the "Location" header of the response.
>
> I would say that some proper input validation solves your problem.
> Does new URL(redirectURL).toString() give an exception on invalid url's?

I hadn't thought of using the URL class... I'll check that out and let
you know.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2UjbsACgkQ9CaO5/Lv0PBE7QCfV77tnlhrugrclpMnbCcgtXXf
NkQAmwSVAposD625LWo253f6Au3rxaKr
=tOxL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message