tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon Rosenberg <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Fri, 01 Apr 2011 05:49:35 GMT
On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz
<> wrote:
> Hash: SHA1
> Ronald,
> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>> I would say that some proper input validation solves your problem.
>> Does new URL(redirectURL).toString() give an exception on invalid url's?
> new URL(String) will throw a MalformedURLException if there are illegal
> characters in the URL.

This will work for 'correct urls', however, you don't necessary need
to send correct urls, and I suppose you don't want to:
Consider this, struts1 like action:
	public ActionForward execute(ActionMapping mapping, FormBean bean,
HttpServletRequest req, HttpServletResponse res) throws Exception {

		//do something.... useful
		return null;

This is not a syntactically correct url, but it will work in all
browsers and save you a lot of stress in multi-url (i18n) portals.
I would solve your problem by having multiple entry points for the
actions which than can specify the final redirect path.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message