tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Wed, 20 Apr 2011 14:10:21 GMT
Hash: SHA1


On 4/19/2011 4:37 AM, Konstantin Kolinko wrote:
> 2011/4/19 Christopher Schultz <>:
>> Looks like I must override sendRedirect because otherwise the setHeader
>> call implemented in Response.sendRedirect isn't intercepted by the
>> wrapper class.
>> For those interested, see below for the implementation I came up with.
>>            if(containsCRorLF(value))
>>                throw new IllegalArgumentException("Header value must
>> not contain CR or LF characters");
> It would be better to check that all characters are correct ones rather
> than check for two specific incorrect characters.
> Checking for \r \n only might be not enough. Though that depends on
> where the value comes from.

I was considering scouring the URL/URI specs for exactly what characters
are allowed but then decided that I didn't really care: I was mostly
concerned with thwarting a response-splitting attack and avoiding \r and
\n does that.

This isn't intended to be an outgoing HTTP header value validator.

Technically, this is over-engineered because it looks for /either/ \r
/or/ \n, rather than \r\n which should be the only way to exploit such a
vulnerability. :)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message