tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 14:49:47 GMT
Hash: SHA1


On 3/31/2011 8:21 PM, Christopher Schultz wrote:
> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>> I would say that some proper input validation solves your problem.
>> Does new URL(redirectURL).toString() give an exception on invalid url's?
> new URL(String) will throw a MalformedURLException if there are illegal
> characters in the URL.
> I suppose that's good enough for my purposes: the only returnURLs that
> should be generated should be coming from our own application, and if
> they are broken, it's a bug. If a MalformedURLException is thrown, it
> should be due to some sort of malicious use and the user is better off
> getting a nasty error than just about anything else.

Apparently, it's more complicated than that... at least when it comes to
my particular application... we want to keep the URLs as short as
possible, they they are not fully-qualified in most cases. Instead, they
are webapp-relative and blindly passing them into the
constructor fails even for "real" URLs because they have no protocol.

Now, I could add code to fully-qualify them, but then I'd be doing work
I'm already asking the container to do for me (since
HttpServletResponse.sendRedirect is required to fully-qualify the URL
anyway) and I'd prefer to rely on the container for that task -- it's
likely to do a better job, anyway :)

I think I'm doing to standardize on simply scanning for troublesome
characters like \r and \n and throwing a MalformedURLException or
something like that.

If anyone else has any good ideas or Warnings about what might be a
naive sanitization check, I'd be glad to hear them.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message