tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 00:21:18 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ronald,

On 3/31/2011 7:05 AM, Ronald Klop wrote:
> I would say that some proper input validation solves your problem.
> Does new URL(redirectURL).toString() give an exception on invalid url's?

new URL(String) will throw a MalformedURLException if there are illegal
characters in the URL.

I suppose that's good enough for my purposes: the only returnURLs that
should be generated should be coming from our own application, and if
they are broken, it's a bug. If a MalformedURLException is thrown, it
should be due to some sort of malicious use and the user is better off
getting a nasty error than just about anything else.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2VGn4ACgkQ9CaO5/Lv0PBk5gCdF5DMiC7/BrXTxDHayWzChU9W
Dc8AoKq1E+6Y2NVTbTuS0vn1NtMhzo0C
=2Kss
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message