tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 14:52:48 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

On 4/1/2011 1:49 AM, Leon Rosenberg wrote:
> On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz
> <chris@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Ronald,
>>
>> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>>> I would say that some proper input validation solves your problem.
>>> Does new URL(redirectURL).toString() give an exception on invalid url's?
>>
>> new URL(String) will throw a MalformedURLException if there are illegal
>> characters in the URL.
>>
> 
> This will work for 'correct urls', however, you don't necessary need
> to send correct urls, and I suppose you don't want to:
> Consider this, struts1 like action:
> 	public ActionForward execute(ActionMapping mapping, FormBean bean,
> HttpServletRequest req, HttpServletResponse res) throws Exception {
> 
> 		//do something.... useful
> 		res.sendRedirect("pageResult?page=1");
> 		return null;
> 	}
> 
> This is not a syntactically correct url, but it will work in all
> browsers and save you a lot of stress in multi-url (i18n) portals.
> I would solve your problem by having multiple entry points for the
> actions which than can specify the final redirect path.

Yeah, I was thinking about this, too... instead of passing the actual
URL, just have a list of predefined URLs like "home" or "display" or
whatever and then just pass-around a symbolic name... that way, the
worst a malicious user can do is get the wrong name and go to a
different part of the webapp... instead of being able to redirect to
evilsite.com.

That requires more work, of course, and may be the ultimate solution we
choose... but it's not going to work for some particular actions because
they really can be redirected to an arbitrary location within our
webapp, and enumerating those would not really be possible.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2V5sAACgkQ9CaO5/Lv0PA7cgCglfyxvxL2wzNeTJIOiWsmrCqA
CV4AoLgdmc3bG5I19J2tf9BLDxXme1Sh
=iQAo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message