tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon Rosenberg <rosenberg.l...@gmail.com>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 05:49:35 GMT
On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz
<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ronald,
>
> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>> I would say that some proper input validation solves your problem.
>> Does new URL(redirectURL).toString() give an exception on invalid url's?
>
> new URL(String) will throw a MalformedURLException if there are illegal
> characters in the URL.
>

This will work for 'correct urls', however, you don't necessary need
to send correct urls, and I suppose you don't want to:
Consider this, struts1 like action:
	public ActionForward execute(ActionMapping mapping, FormBean bean,
HttpServletRequest req, HttpServletResponse res) throws Exception {

		//do something.... useful
		res.sendRedirect("pageResult?page=1");
		return null;
	}

This is not a syntactically correct url, but it will work in all
browsers and save you a lot of stress in multi-url (i18n) portals.
I would solve your problem by having multiple entry points for the
actions which than can specify the final redirect path.

regards
Leon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message