tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Tue, 19 Apr 2011 01:55:52 GMT
Hash: SHA1


On 4/18/2011 9:51 PM, Christopher Schultz wrote:
> I'm leaning more towards just protecting against control characters in a
> header: there's no need to do a complete URL-parse to check for response
> splitting.
> A simple filter that wraps the response and overrides either
> sendRedirect or setHeader(String, String) should do it.
> I'd have to check to see how the two interact... whether calling
> sendRedirect on a wrapped response will also set the header on the
> wrapped response or set the header at a higher level where the wrapper
> won't get called.

Looks like I must override sendRedirect because otherwise the setHeader
call implemented in Response.sendRedirect isn't intercepted by the
wrapper class.

For those interested, see below for the implementation I came up with.

- -chris


import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

 * Prevents the application from setting HTTP headers that include
 * CR or LF characters. Specifically throws a MalformedURLException
 * for the sendRedirect method which is already declared to throw
 * IOException.
public class HttpResponseSplittingPreventionFilter
    implements Filter
    public void init(FilterConfig config)

     * Performs the filtering operation provided by this filter.
     * @param request The request being made to the server.
     * @param response The response object prepared for the client.
     * @param chain The chain of filters providing request services.
    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain chain)
        throws IOException, ServletException
        if(response instanceof HttpServletResponse)
            response = new Wrapper((HttpServletResponse)response);

        chain.doFilter(request, response);

     * Called by the servlet container to indicate that a filter is being
     * taken out of service.<p>
    public void destroy()

    class Wrapper
        extends HttpServletResponseWrapper
        Wrapper(HttpServletResponse response)

        public void sendRedirect(String location)
            throws IOException
                throw new MalformedURLException("CR or LF detected in
redirect URL: possible http response splitting attack");


        public void setHeader(String name, String value)
                throw new IllegalArgumentException("Header value must
not contain CR or LF characters");

            super.setHeader(name, value);

        public void addHeader(String name, String value)
                throw new IllegalArgumentException("Header value must
not contain CR or LF characters");

            super.addHeader(name, value);

        private boolean containsCRorLF(String s)
            if(null == s) return false;

            int length = s.length();

            for(int i=0; i<length; ++i)
                char c = s.charAt(i);

                if('\n' == c
                   || '\r' == c)
                    return true;

            return false;
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message