tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 22:16:57 GMT
On 1 April 2011 15:49, Christopher Schultz <> wrote:
> Hash: SHA1
> Ronald,
> On 3/31/2011 8:21 PM, Christopher Schultz wrote:
>> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>>> I would say that some proper input validation solves your problem.
>>> Does new URL(redirectURL).toString() give an exception on invalid url's?
>> new URL(String) will throw a MalformedURLException if there are illegal
>> characters in the URL.
>> I suppose that's good enough for my purposes: the only returnURLs that
>> should be generated should be coming from our own application, and if
>> they are broken, it's a bug. If a MalformedURLException is thrown, it
>> should be due to some sort of malicious use and the user is better off
>> getting a nasty error than just about anything else.
> Apparently, it's more complicated than that... at least when it comes to
> my particular application... we want to keep the URLs as short as
> possible, they they are not fully-qualified in most cases. Instead, they
> are webapp-relative and blindly passing them into the
> constructor fails even for "real" URLs because they have no protocol.

I may be missing something here, but can't you use the ctor:

URL(URL context, String spec)

and pass in a dummy context with a suitable protocol?

> Now, I could add code to fully-qualify them, but then I'd be doing work
> I'm already asking the container to do for me (since
> HttpServletResponse.sendRedirect is required to fully-qualify the URL
> anyway) and I'd prefer to rely on the container for that task -- it's
> likely to do a better job, anyway :)
> I think I'm doing to standardize on simply scanning for troublesome
> characters like \r and \n and throwing a MalformedURLException or
> something like that.
> If anyone else has any good ideas or Warnings about what might be a
> naive sanitization check, I'd be glad to hear them.
> Thanks,
> - -chris
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAk2V5gsACgkQ9CaO5/Lv0PBgfwCeOrioFeSvp8iUJ51a9qJqAny3
> 8QkAn0c12aRinn7eoGUoAgA2uYydVQA/
> =bwLF
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message