tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Protecting against HTTP response splitting
Date Wed, 20 Apr 2011 14:10:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 4/19/2011 4:37 AM, Konstantin Kolinko wrote:
> 2011/4/19 Christopher Schultz <chris@christopherschultz.net>:
>>
>> Looks like I must override sendRedirect because otherwise the setHeader
>> call implemented in Response.sendRedirect isn't intercepted by the
>> wrapper class.
>>
>> For those interested, see below for the implementation I came up with.
>>
> 
>>            if(containsCRorLF(value))
>>                throw new IllegalArgumentException("Header value must
>> not contain CR or LF characters");
> 
> It would be better to check that all characters are correct ones rather
> than check for two specific incorrect characters.
> 
> Checking for \r \n only might be not enough. Though that depends on
> where the value comes from.

I was considering scouring the URL/URI specs for exactly what characters
are allowed but then decided that I didn't really care: I was mostly
concerned with thwarting a response-splitting attack and avoiding \r and
\n does that.

This isn't intended to be an outgoing HTTP header value validator.

Technically, this is over-engineered because it looks for /either/ \r
/or/ \n, rather than \r\n which should be the only way to exploit such a
vulnerability. :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2u6U0ACgkQ9CaO5/Lv0PCvdACgjm/Q/3IrBC318Bb0wi+WDjee
v78AoLjj9uj6mDiRWik8WV/3pQWqDXiB
=IgDT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message