tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 22:16:57 GMT
On 1 April 2011 15:49, Christopher Schultz <chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ronald,
>
> On 3/31/2011 8:21 PM, Christopher Schultz wrote:
>> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>>> I would say that some proper input validation solves your problem.
>>> Does new URL(redirectURL).toString() give an exception on invalid url's?
>>
>> new URL(String) will throw a MalformedURLException if there are illegal
>> characters in the URL.
>>
>> I suppose that's good enough for my purposes: the only returnURLs that
>> should be generated should be coming from our own application, and if
>> they are broken, it's a bug. If a MalformedURLException is thrown, it
>> should be due to some sort of malicious use and the user is better off
>> getting a nasty error than just about anything else.
>
> Apparently, it's more complicated than that... at least when it comes to
> my particular application... we want to keep the URLs as short as
> possible, they they are not fully-qualified in most cases. Instead, they
> are webapp-relative and blindly passing them into the java.net.URL
> constructor fails even for "real" URLs because they have no protocol.

I may be missing something here, but can't you use the ctor:

URL(URL context, String spec)

and pass in a dummy context with a suitable protocol?

> Now, I could add code to fully-qualify them, but then I'd be doing work
> I'm already asking the container to do for me (since
> HttpServletResponse.sendRedirect is required to fully-qualify the URL
> anyway) and I'd prefer to rely on the container for that task -- it's
> likely to do a better job, anyway :)
>
> I think I'm doing to standardize on simply scanning for troublesome
> characters like \r and \n and throwing a MalformedURLException or
> something like that.
>
> If anyone else has any good ideas or Warnings about what might be a
> naive sanitization check, I'd be glad to hear them.
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2V5gsACgkQ9CaO5/Lv0PBgfwCeOrioFeSvp8iUJ51a9qJqAny3
> 8QkAn0c12aRinn7eoGUoAgA2uYydVQA/
> =bwLF
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message