-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Konstantin,
On 4/19/2011 4:37 AM, Konstantin Kolinko wrote:
> 2011/4/19 Christopher Schultz <chris@christopherschultz.net>:
>>
>> Looks like I must override sendRedirect because otherwise the setHeader
>> call implemented in Response.sendRedirect isn't intercepted by the
>> wrapper class.
>>
>> For those interested, see below for the implementation I came up with.
>>
>
>> if(containsCRorLF(value))
>> throw new IllegalArgumentException("Header value must
>> not contain CR or LF characters");
>
> It would be better to check that all characters are correct ones rather
> than check for two specific incorrect characters.
>
> Checking for \r \n only might be not enough. Though that depends on
> where the value comes from.
I was considering scouring the URL/URI specs for exactly what characters
are allowed but then decided that I didn't really care: I was mostly
concerned with thwarting a response-splitting attack and avoiding \r and
\n does that.
This isn't intended to be an outgoing HTTP header value validator.
Technically, this is over-engineered because it looks for /either/ \r
/or/ \n, rather than \r\n which should be the only way to exploit such a
vulnerability. :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2u6U0ACgkQ9CaO5/Lv0PCvdACgjm/Q/3IrBC318Bb0wi+WDjee
v78AoLjj9uj6mDiRWik8WV/3pQWqDXiB
=IgDT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|