tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Protecting against HTTP response splitting
Date Tue, 19 Apr 2011 01:51:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebb,

Just saw your response from a few weeks back... (and responded directly
instead of to the list.. it's been a long day).

On 4/1/2011 6:16 PM, sebb wrote:
> I may be missing something here, but can't you use the ctor:
> 
> URL(URL context, String spec)
> 
> and pass in a dummy context with a suitable protocol?

Maybe. The URL may or may not be fully-qualified, relative, etc.

I'm leaning more towards just protecting against control characters in a
header: there's no need to do a complete URL-parse to check for response
splitting.

A simple filter that wraps the response and overrides either
sendRedirect or setHeader(String, String) should do it.

I'd have to check to see how the two interact... whether calling
sendRedirect on a wrapped response will also set the header on the
wrapped response or set the header at a higher level where the wrapper
won't get called.

I'll post whatever I come up with.

Thanks,
- -chris


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2s6o8ACgkQ9CaO5/Lv0PDikgCgtGkHVIGl1mJwIAXBiQ4V0qq8
auUAoIoIrsaH8LHn+U/pEVbFQK09y71D
=AMLs
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message